CVE-2023-4216

Name of the Vulnerable Software and Affected Versions Orders Tracking for WooCommerce WordPress plugin version 1.2.5 and earlier

Description The issue allows high privilege users with the manage woocommerce capability to access any file on the web server via a Traversal attack when importing a CSV file, due to the lack of validation of the file url parameter. The content retrieved is limited to the first line of the file.

Recommendations For versions prior to 1.2.6, update to version 1.2.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the CSV import feature to minimize the risk of exploitation. Avoid using the file url parameter in the affected import functionality until the issue is resolved.