CVE-2018-8711

Name of the Vulnerable Software and Affected Versions WooCommerce Products Filter plugin versions prior to 2.2.0

Description A local file inclusion issue was discovered due to the lack of args/input validation on the render html function before allowing it to be called by the extract() function, a PHP built-in function. This allows the supplied args/input to overwrite the $pagepath variable, potentially leading to a local file inclusion attack. The issue can be demonstrated by the shortcode parameter in a woof redraw woof action.

Recommendations For versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider disabling the render html function until a patch is available. Restrict access to the woof redraw woof action to minimize the risk of exploitation. Avoid using the shortcode parameter in the affected action until the issue is resolved.