CVE-2024-7258

Name of the Vulnerable Software and Affected Versions WooCommerce Google Feed Manager plugin for WordPress versions 1.0 through 2.8.0

Description The issue is due to a missing capability check on the wppfm removeFeedFile function, allowing authenticated attackers with Contributor-level access and above to delete arbitrary files on the server. This can lead to remote code execution when the right file is deleted, such as wp-config.php.

Recommendations For versions 1.0 through 2.8.0, upgrade to version 2.8.1 to remediate the issue. As a temporary workaround, consider restricting access to the wppfm removeFeedFile function to prevent unauthorized file deletion.