CVE-2024-13831: 
WordPress vulnerability analysis and mitigation

The Tabs for WooCommerce plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2024-13831) affecting all versions up to and including 1.0.0. The vulnerability was discovered and disclosed on February 28, 2025, impacting the WordPress plugin ecosystem (NVD CVE).

The vulnerability exists in the 'producthascustom_tabs' function where untrusted input is deserialized, leading to potential PHP Object Injection. The issue is classified as CWE-502 (Deserialization of Untrusted Data). The vulnerability has received a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD CVE).

While the vulnerability itself requires a POP chain to be exploitable, when combined with other plugins or themes containing such a chain, it could allow attackers to perform critical actions including deletion of arbitrary files, retrieval of sensitive data, or code execution. The impact is limited to installations where additional plugins or themes with compatible POP chains are present (NVD CVE).

Users should upgrade the Tabs for WooCommerce plugin beyond version 1.0.0 when a patch becomes available. In the meantime, limiting access to Shop Manager roles and conducting an audit of installed plugins and themes for potential POP chains is recommended (NVD CVE).