Name of the Vulnerable Software and Affected Versions:

WooCommerce Upload Files WordPress plugin versions prior to 59.4

Description:

The issue allows bypassing the sanitization pass that removes blocked extensions, such as .php, by embedding a blocked extension within another blocked extension in the `wcuf file name` parameter. Additionally, it is possible to perform a double extension attack and upload files to a different location via path traversal using the `wcuf current upload session id` parameter.

Recommendations:

For versions prior to 59.4, update to version 59.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `wcuf file name` and `wcuf current upload session id` parameters until a patch is available.