CVE-2024-10857

Summary

The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.9 via the handle_downloads() function due to insufficient file path validation/sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affected Software

VendorProductVersion RangeStatus
tychesoftwaresProduct Input Fields for WooCommerce0 <= 1.9affected

Weaknesses

  • CWE-35: CWE-35 Path Traversal: '…/…//'

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References