WordPress Product Addons & Fields for WooCommerce plugin <= 32.0.20 - Content Injection vulnerability

Vulnerability

The PPOM (Personalized Product Option Manager) plugin for WooCommerce, version 32.0.20 and earlier, suffers from an improper neutralization of special elements in output used by a downstream component, leading to code inclusion. The vulnerability resides in the way user-supplied input is processed and passed to downstream components without adequate sanitization, allowing attackers to inject arbitrary code through the plugin's custom fields and product add-ons functionality. Affected versions are all versions from n/a through 32.0.20 [1].

Exploitation

An attacker with the ability to supply input to the plugin's custom fields (e.g., via product forms or admin panels) can craft malicious payloads that bypass sanitization. No special network position or authentication is explicitly required, though exploitation likely depends on the application's configuration. The attacker injects special characters or code into fields that are then rendered or executed by a downstream component, leading to code inclusion.

Impact

Successful exploitation allows an attacker to execute arbitrary code within the context of the WordPress installation. This can lead to complete compromise of the affected site, including data theft, site defacement, or further propagation of attacks. The injection enables code inclusion, which can escalate to remote code execution depending on the downstream component's processing.

Mitigation

The vulnerability is fixed in version 34.0.1 and later [1]. Users are strongly advised to update to the latest version immediately. No workarounds are provided in the available references. The plugin is actively maintained, and upgrading eliminates the risk. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog.