Arbitrary File Read Vulnerability in Bulk Order Update for WooCommerce Plugin
CVE-2026-14500

5.3MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
8 July 2026

What is CVE-2026-14500?

The Bulk Order Update for WooCommerce plugin for WordPress is affected by an Arbitrary File Read vulnerability. The issue arises from the bouw_fetch_csv_data() AJAX handler, which is registered on the wp_ajax_nopriv_ hook without any capability or nonce checks. This vulnerability allows an unauthenticated attacker to exploit the csv_url POST parameter, which is insufficiently sanitized, enabling them to read the first line of arbitrary files on the server. This can expose sensitive information, such as password files, and could be leveraged to validate the existence of files on the server.

Affected Version(s)

Bulk Order Update for WooCommerce 0 <= 1.6

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

nthng
.