Phil Wylie

**Name of the Vulnerable Software and Affected Versions** Abandoned Cart Pro for WooCommerce versions up to, and including, 9.16.0 **Description** The issue is related to an authenticated arbitrary file upload due to missing file type validation in the `wcap add to cart popup upload files` function. This allows an authenticated attacker with subscriber-level access or higher to upload arbitrary files to the site's server, potentially enabling remote or local code execution depending on the server configuration. **Recommendations** For versions up to, and including, 9.16.0, update to a version that includes the fix for the arbitrary file upload vulnerability. As a temporary workaround, consider disabling the `wcap add to cart popup upload files` function until a patch is available.