PT-2026-56323 · Sayantandas20 · Bulk Order Update For Woocommerce

Nthng

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-14500

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouw fetch csv data() AJAX handler being registered on the wp ajax nopriv hook with no capability or nonce check, and passing the attacker-supplied csv url POST parameter — filtered only by esc url raw() (which leaves absolute filesystem paths intact) and validate file() (which only rejects '..' traversal patterns) — directly into fopen()/fgetcsv() and reflecting the first parsed line in the JSON response. This makes it possible for unauthenticated attackers to read the first line of arbitrary files on the server (such as /etc/passwd) and to use the handler as a file-existence oracle.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14500

Affected Products

Bulk Order Update For Woocommerce