CVE-2024-1205

Name of the Vulnerable Software and Affected Versions The Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring plugin for WordPress version 1.2.0 and earlier

Description The issue is related to arbitrary file uploads due to missing file type validation in the nouvello upload csv file function. This allows authenticated attackers with subscriber-level access and above to upload arbitrary files on the affected site's server, potentially making remote code execution possible.

Recommendations For versions 1.2.0 and earlier, update the plugin to a version that includes the fix for the arbitrary file upload issue. As a temporary workaround, consider disabling the nouvello upload csv file function until a patch is available. Restrict access to the uploads folder to minimize the risk of exploitation.