CVE-2024-8393

Name of the Vulnerable Software and Affected Versions: Woocommerce Blocks – Woolook plugin for WordPress versions prior to 1.7.1

Description: The Woocommerce Blocks – Woolook plugin for WordPress is vulnerable to Local File Inclusion via the tab parameter. This allows authenticated attackers with Administrator-level access and above to include and execute arbitrary files on the server, potentially enabling them to bypass access controls, obtain sensitive data, or achieve code execution. This is possible even when images and other typically safe file types are uploaded and included. The issue can also be exploited using Cross-Site Request Forgery (CSRF) techniques.

Recommendations: Update the Woocommerce Blocks – Woolook plugin to version 1.7.1 or later.