CVE-2024-4371 CRITICAL

CVE-2024-4371: CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More <= 4.4.1 - Unauthenticated PHP Object Injection

Vendor Codexpert
Product CoDesigner – All in One Elementor WooCommerce Builder
Weakness CWE-502 · Unsafe deserialization
Published June 13, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from the recently_viewed_products cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Key dates

02Disclosure timeline

June 13, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-47248 PyArrow, PyArrow: Arbitrary code execution when loading a malicious data file CVE-2026-7635 coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field CVE-2022-3525 Deserialization of Untrusted Data in librenms/librenms CVE-2025-64164 DataEase is vulnerable to Oracle JNDI Injection CVE-2019-15271 Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Arbitrary Command Execution Vulnerability