Unrestricted File Upload Vulnerability in Import Export for WooCommerce Plugin
CVE-2024-54262

9.9CRITICAL

Key Information:

Vendor: WordPress
Status: Import Export For WooCommerce
Vendor: CVE Published:; 13 December 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 25%

What is CVE-2024-54262?

CVE-2024-54262 is a critical vulnerability affecting the Import Export For WooCommerce plugin, developed by Siddharth Nagar. This vulnerability allows attackers to upload files of dangerous types, including web shells, to the web server without proper validation. It poses significant risks as it can lead to unauthorized access and potential control over the affected site. The issues span across all versions prior to 1.5, making it crucial for users to update to the latest version to mitigate this security threat. Stay informed and protect your WordPress installations from exploitation.

Affected Version(s)

Import Export For WooCommerce <= 1.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-54262
Created by RandomRobbieBF

References

https://patchstack.com/database/wordpress/plugin/import-e...

vdb-entry

EPSS Score

25% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 19, 2024
👾
Exploit known to exist
Dec 19, 2024
Vulnerability published
Dec 13, 2024
Vulnerability Reserved
Dec 2, 2024

Credit

Joshua Chan (Patchstack Alliance)