CVE-2021-24171

Name of the Vulnerable Software and Affected Versions: WooCommerce Upload Files WordPress plugin versions prior to 59.4

Description: The issue allows bypassing the sanitization pass that removes blocked extensions, such as .php, by embedding a blocked extension within another blocked extension in the wcuf file name parameter. Additionally, it is possible to perform a double extension attack and upload files to a different location via path traversal using the wcuf current upload session id parameter.

Recommendations: For versions prior to 59.4, update to version 59.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the wcuf file name and wcuf current upload session id parameters until a patch is available.