#VU69844 Code Injection in Checkout Field Editor (Checkout Manager) for WooCommerce - CVE-2022-3490

Cybersecurity Help s.r.o.

Published: 2022-12-02

Vulnerability identifier: #VU69844

Vulnerability risk: Low

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-3490

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Checkout Field Editor (Checkout Manager) for WooCommerce
Web applications / Modules and components for CMS

Vendor: ThemeHiGH

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote user can send a specially crafted HTTP request and execute arbitrary PHP code on the server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Checkout Field Editor (Checkout Manager) for WooCommerce: 1.0.9 - 1.7.2

External links
https://wpscan.com/vulnerability/0c9f22e0-1d46-4957-9ba5-5cca78861136

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

PHP object injection in WordPress Checkout Field Editor for WooCommerce plugin