Insufficient File Upload Validation in Admin and Customer Messages Plugin for WooCommerce
CVE-2024-13355
5.4MEDIUM
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 16 January 2025
What is CVE-2024-13355?
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress suffers from a lack of proper file type validation in its upload_file() function. This vulnerability affects all versions up to and including 13.2. Authenticated users with Subscriber-level access and above can exploit this weakness to upload potentially malicious files, leading to serious security risks such as remote code execution and confirmed Cross-Site Scripting vulnerabilities, putting affected sites at significant risk.
Affected Version(s)
Admin and Customer Messages After Order for WooCommerce: OrderConvo * <= 13.2