Plattform
wordpress
Komponente
woocommerce-checkout-field-editor-pro
Behoben in
3.6.3
CVE-2024-35658 describes an Arbitrary File Access vulnerability discovered in the Checkout Field Editor for WooCommerce (Pro) plugin. This flaw allows attackers to potentially manipulate files on the server, leading to unauthorized access and data compromise. The vulnerability impacts versions of the plugin up to and including 3.6.2, and a fix is available in version 3.6.3.
The Arbitrary File Access vulnerability allows an attacker to read or write files outside of the intended directory. This can be exploited to read sensitive configuration files, source code, or even upload malicious files to the server. Successful exploitation could lead to complete system compromise, data breaches, and denial of service. The attacker could potentially gain access to customer data, payment information, and other sensitive details stored on the WooCommerce server. While the specific attack surface is limited to the plugin's functionality, the potential impact is significant due to the sensitive nature of e-commerce data.
CVE-2024-35658 was publicly disclosed on 2024-06-10. There is no indication of active exploitation at this time, nor is it listed on KEV or EPSS. Public proof-of-concept code is not currently available, but the nature of the vulnerability makes it likely that such code will emerge. Monitor security advisories and vulnerability databases for updates.
Websites using WooCommerce with the Checkout Field Editor for WooCommerce (Pro) plugin, particularly those running older versions (≤3.6.2), are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited access controls and a higher concentration of WooCommerce installations.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/checkout-field-editor-for-woocommerce-pro/*• generic web:
curl -I 'https://your-website.com/wp-content/plugins/checkout-field-editor-for-woocommerce-pro/../../../../etc/passwd' # Check for directory traversaldisclosure
Exploit-Status
EPSS
0.25% (48% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-35658 is to immediately upgrade the Checkout Field Editor for WooCommerce (Pro) plugin to version 3.6.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Restrict file upload permissions for the plugin's user account to the minimum necessary. Regularly review file system permissions and ensure that sensitive files are not publicly accessible. After upgrading, confirm the fix by attempting a path traversal attack via the plugin's file upload functionality; it should be blocked.
Actualice el plugin Checkout Field Editor for WooCommerce (Pro) a la última versión disponible. La vulnerabilidad permite la eliminación arbitraria de archivos, por lo que es crucial actualizar para proteger su sitio web. Si no hay una versión disponible, considere deshabilitar el plugin temporalmente hasta que se publique una actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-35658 is a HIGH severity vulnerability in Checkout Field Editor for WooCommerce (Pro) allowing attackers to access files outside the intended directory. It affects versions ≤3.6.2 and has a CVSS score of 8.6.
Yes, if you are using Checkout Field Editor for WooCommerce (Pro) version 3.6.2 or earlier, you are vulnerable to this Arbitrary File Access issue.
Upgrade to Checkout Field Editor for WooCommerce (Pro) version 3.6.3 or later to resolve the vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official ThemeHigh website and WooCommerce security resources for the latest advisory and updates regarding CVE-2024-35658.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.