Platform
wordpress
Component
woocommerce-checkout-field-editor-pro
Fixed in
3.6.3
CVE-2024-35658 describes an Arbitrary File Access vulnerability discovered in the Checkout Field Editor for WooCommerce (Pro) plugin. This flaw allows attackers to potentially manipulate files on the server, leading to unauthorized access and data compromise. The vulnerability impacts versions of the plugin up to and including 3.6.2, and a fix is available in version 3.6.3.
The Arbitrary File Access vulnerability allows an attacker to read or write files outside of the intended directory. This can be exploited to read sensitive configuration files, database credentials, or even upload malicious code. Successful exploitation could lead to complete server compromise, data theft, and denial of service. The ability to write files opens the door to remote code execution if the attacker can upload a web shell or modify existing PHP files. This vulnerability is particularly concerning given the popularity of WooCommerce and the potential for widespread exploitation.
CVE-2024-35658 was publicly disclosed on June 10, 2024. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. While no active exploitation has been confirmed, the ease of exploitation and the popularity of WooCommerce make it a likely target for opportunistic attackers.
Exploit Status
EPSS
0.25% (48% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-35658 is to immediately upgrade the Checkout Field Editor for WooCommerce (Pro) plugin to version 3.6.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file upload permissions within the WordPress environment or using a Web Application Firewall (WAF) to block requests containing path traversal sequences (e.g., ../). Regularly review file permissions and access logs for any suspicious activity. After upgrading, confirm the fix by attempting to access files outside the intended directory via a web browser – access should be denied.
Actualice el plugin Checkout Field Editor for WooCommerce (Pro) a la última versión disponible. La vulnerabilidad permite la eliminación arbitraria de archivos, por lo que es crucial actualizar para proteger su sitio web. Si no hay una versión disponible, considere deshabilitar el plugin temporalmente hasta que se publique una actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-35658 is a HIGH severity vulnerability in Checkout Field Editor for WooCommerce (Pro) allowing attackers to access files outside the intended directory. It affects versions ≤3.6.2 and has a CVSS score of 8.6.
Yes, if you are using Checkout Field Editor for WooCommerce (Pro) version 3.6.2 or earlier, you are vulnerable to this Arbitrary File Access issue.
Upgrade to Checkout Field Editor for WooCommerce (Pro) version 3.6.3 or later to resolve the vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official ThemeHigh website and WooCommerce security resources for the latest advisory and updates regarding CVE-2024-35658.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.