Back

CVE-2024-3962

April 26, 2024, 12:58 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Product Addons & Fields for WooCommerce plugin

  • up to 32.0.18

Product Addons & Fields for WooCommerce plugin for WordPress

  • up to 32.0.18

Source

security@wordfence.com

Tags

CVE-2024-3962 details

Published : April 26, 2024, 9:15 a.m.
Last Modified : April 26, 2024, 12:58 p.m.

Description

The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires the PPOM Pro plugin to be installed along with a WooCommerce product that contains a file upload field to retrieve the correct nonce.

CVSS Score

1 2 3 4 5 6 7 8 9.8 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

9.8

Exploitability Score

Impact Score

Base Severity

CRITICAL

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

URL Source
https://plugins.trac.wordpress.org/changeset/3075669/woocommerce-product-addon security@wordfence.com
https://themeisle.com/plugins/ppom-pro/ security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/4f95bcc3-354e-4016-9a17-945569b076b6?source=cve security@wordfence.com
This website uses the NVD API, but is not approved or certified by it.