CVE-2022-4047

Name of the Vulnerable Software and Affected Versions Return Refund and Exchange For WooCommerce WordPress plugin versions prior to 4.0.9

Description The issue concerns the lack of validation for attachment files uploaded via an AJAX action. This action is accessible to unauthenticated users, potentially allowing them to upload arbitrary files, including PHP files, which could lead to remote code execution (RCE).

Recommendations For versions prior to 4.0.9, update to version 4.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX action until the update is applied.