Arbitrary File Uploads Vulnerability in WooCommerce Product Addons & Fields Plugin
CVE-2024-3962

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Ppom – Product Addons & Custom Fields For WooCommerce
Vendor: CVE Published:; 26 April 2024

What is CVE-2024-3962?

The Product Addons & Fields for WooCommerce plugin for WordPress is exposed to a vulnerability allowing arbitrary file uploads due to insufficient file type validation in the ppom_upload_file function. This flaw impacts all versions up to and including 32.0.18 and permits unauthenticated attackers to upload files to the server. If successfully exploited, this vulnerability could enable remote code execution, particularly when the PPOM Pro plugin is also installed and used with a WooCommerce product featuring a file upload field. Site administrators should ensure timely updates and implement proper security practices to mitigate this risk.

Affected Version(s)

PPOM – Product Addons & Custom Fields for WooCommerce 0 <= 32.0.18

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeisle.com/plugins/ppom-pro/

https://plugins.trac.wordpress.org/changeset/3075669/wooc...

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 26, 2024

CVE-2024-3962 Data

JSON