Unrated severityNVD Advisory· Published Oct 12, 2024· Updated Oct 14, 2024

Order Attachments for WooCommerce 2.0 - 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary File Upload

CVE-2024-9756

Description

The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoa_add_attachment AJAX action in versions 2.0 to 2.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload limited file types.

Affected products

Sldesignpl/Order Attachments For Woocommercev5
Range: 2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/order-attachments-for-woocommerce/tags/2.4.0/src/WCOA/Attachments/Attachment.phpmitre
plugins.trac.wordpress.org/browser/order-attachments-for-woocommerce/tags/2.4.0/src/WCOA/Utils/Ajax.phpmitre
plugins.trac.wordpress.org/changesetmitre
www.wordfence.com/threat-intel/vulnerabilities/id/0dfc8957-78b8-4c55-ba95-52d95b086341mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000