PT-2024-39820 · WordPress · Order Attachments For Woocommerce
Lucky_Noob
·
Published
2024-10-12
·
Updated
2024-11-25
·
CVE-2024-9756
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Order Attachments for WooCommerce plugin for WordPress versions 2.0 through 2.4.1
Description
The issue is related to unauthorized limited arbitrary file uploads due to a missing capability check on the "wcoa add attachment" AJAX action. This allows authenticated attackers with subscriber-level access and above to upload limited file types.
Recommendations
For versions 2.0 through 2.4.1, update to a version that includes a fix for the missing capability check on the wcoa add attachment AJAX action.
As a temporary workaround, consider restricting access to the wcoa add attachment AJAX action to prevent unauthorized file uploads until a patch is available.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Order Attachments For Woocommerce