CVE-2024-6500

Name of the Vulnerable Software and Affected Versions InPost for WooCommerce plugin versions 1.4.0 and earlier InPost PL plugin for WordPress versions 1.4.4 and earlier

Description The issue is related to a missing capability check on the parse request function, allowing unauthorized access and deletion of data. This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers, while on Linux servers, only files within the WordPress install will be deleted, but all files can be read. Over 10,000 WordPress sites are at risk due to this critical file deletion flaw.

Recommendations For InPost for WooCommerce plugin versions 1.4.0 and earlier, update to version 1.4.5 or later. For InPost PL plugin for WordPress versions 1.4.4 and earlier, update to a version later than 1.4.4. As a temporary workaround, consider disabling the parse request function until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation.