WooCommerce Help Scout < 2.9.1 - Unauthenticated Arbitrary File Upload leading to RCE
Description
The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/WooCommerce Help Scout plugindescription
- Range: <2.9.1
Patches
Vulnerability mechanics
Root cause
"Missing file type validation in the file upload handler allows unauthenticated arbitrary file upload."
Attack vector
An unauthenticated attacker can send a crafted HTTP request to the plugin's file upload endpoint with an arbitrary file (e.g., a PHP web shell). The plugin fails to validate the file type or extension, so the uploaded file is stored on the server under `wp-content/uploads/hstmp/`. Because the file is accessible via the web, the attacker can then execute the uploaded PHP code remotely, achieving unauthenticated remote code execution [ref_id=1].
Affected code
The vulnerability resides in the WooCommerce Help Scout plugin (versions 2.6–2.8). The plugin's file upload functionality does not restrict file types, allowing arbitrary files to be uploaded to `wp-content/uploads/hstmp/` [ref_id=1].
What the fix does
Version 2.9.1 fixes the arbitrary PHP upload by adding file type validation to the upload handler [ref_id=1]. The advisory notes that even after the fix, an image containing PHP code could still be uploaded and combined with a local file inclusion (LFI) vulnerability, so a hardening recommendation was also sent to the vendor [ref_id=1]. No patch diff is available in the bundle.
Preconditions
- configThe WooCommerce Help Scout plugin (versions 2.6–2.8) must be installed and active.
- authNo authentication is required; the attacker can be unauthenticated.
- networkThe attacker must have network access to the WordPress site's upload endpoint.
- inputThe attacker supplies a malicious file (e.g., a PHP web shell) as the payload.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- dzv365zjfbd8v.cloudfront.net/changelogs/woocommerce-help-scout/changelog.txtmitrex_refsource_MISC
- wpscan.com/vulnerability/cf9305e8-f5bc-45c3-82db-0ef00fd46129mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.