Cyber Resilience

CVE-2024-11465

HighRCE

Published: 07 January 2025

Published
07 January 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0133 80.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11465 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Yikesinc Custom Product Tabs For Woocommerce. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-11465 is a PHP Object Injection vulnerability (CWE-502) affecting the Custom Product Tabs for WooCommerce plugin for WordPress in all versions up to and including 1.8.5. The issue arises from deserialization of untrusted input in the 'yikes_woo_products_tabs' post meta parameter, enabling authenticated attackers to inject a PHP Object. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Shop Manager-level access or higher can exploit this vulnerability over the network with low complexity. While no known Proof-of-Concept (POP) chain exists within the vulnerable plugin itself, the presence of a POP chain via an additional plugin or theme on the target system could allow the attacker to achieve arbitrary file deletion, retrieval of sensitive data, or remote code execution.

References provided by the CVE point to specific code locations in the plugin's source, including lines in class.yikes-woo-generate-html.php (L19), class.yikes-woo-saved-tabs.php (L222, L449), class.yikes-woo-tabs-display.php (L47), and the main plugin file (L262), highlighting the deserialization points in the admin and public components. No patch or mitigation details are specified in the available information.

EU & UK References

Vulnerability details

The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the 'yikes_woo_products_tabs' post meta parameter. This makes it possible for authenticated…

more

attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

PHP object injection in public-facing WordPress plugin enables exploitation of the web app for RCE (via POP chains) and shell command execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1913Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-2485Same product class: WordPress / CMS plugin
CVE-2024-13831Same product class: WordPress / CMS plugin
CVE-2026-32502Shared CWE-502
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2026-24989Shared CWE-502
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-26885Shared CWE-502
CVE-2025-30773Shared CWE-502

Affected Assets

yikesinc
custom product tabs for woocommerce
≤ 1.8.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the known deserialization flaw in Custom Product Tabs for WooCommerce versions up to 1.8.5, preventing exploitation via patching.

prevent

Mandates validation and filtering of untrusted input to the 'yikes_woo_products_tabs' post meta parameter, directly countering the PHP Object Injection vulnerability.

prevent

Enforces least privilege to restrict Shop Manager-level access or higher from modifying sensitive post meta, reducing the authenticated attack surface.

References