Scan free
HIGHCVE-2024-37932CVSS 8.6

CVE-2024-37932: Arbitrary File Access in Woocommerce OpenPos

Platform

wordpress

Component

woocommerce-openpos

Fixed in

6.4.5

AI Confidence: highNVDEPSS 0.4%Reviewed: May 2026
View on NVD
Save

CVE-2024-37932 describes an Arbitrary File Access vulnerability within the Woocommerce OpenPos plugin. This flaw allows attackers to manipulate files on the server, potentially leading to unauthorized access and data compromise. The vulnerability impacts versions of Woocommerce OpenPos up to and including 6.4.4, and a patch is available in version 6.4.5.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The Arbitrary File Access vulnerability in Woocommerce OpenPos allows an attacker to read or write files outside of the intended directory. This can be exploited to read sensitive configuration files, database credentials, or even execute arbitrary code if the attacker can upload and execute a malicious file. Successful exploitation could lead to complete server compromise and data exfiltration. The ability to manipulate files also opens the door for defacement of the website and disruption of services.

Exploitation Context

CVE-2024-37932 was publicly disclosed on 2024-07-12. No public proof-of-concept (POC) code has been released at the time of writing, but the nature of the vulnerability makes it likely that a POC will emerge. The vulnerability is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns. The NVD entry was published on the same date as the public disclosure.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.42% (62% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H8.6HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentwoocommerce-openpos
Vendoranhvnit
Affected rangeFixed in
0.0.0 – 6.4.46.4.5

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-37932 is to immediately upgrade Woocommerce OpenPos to version 6.4.5 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Restrict file upload permissions and carefully validate all user-supplied input to prevent malicious file uploads. Regularly review file system permissions to ensure only authorized users and processes have access to sensitive files.

How to fix

Actualice el plugin Woocommerce OpenPos a una versión posterior a la 6.4.4. Esto solucionará la vulnerabilidad de eliminación arbitraria de archivos. Si no hay una versión disponible, considere deshabilitar el plugin hasta que se publique una actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-37932 — Arbitrary File Access in Woocommerce OpenPos?

CVE-2024-37932 is a HIGH severity vulnerability allowing attackers to manipulate files in Woocommerce OpenPos versions up to 6.4.4, potentially leading to data exposure or server compromise.

Am I affected by CVE-2024-37932 in Woocommerce OpenPos?

You are affected if you are using Woocommerce OpenPos version 6.4.4 or earlier. Upgrade to version 6.4.5 to resolve the vulnerability.

How do I fix CVE-2024-37932 in Woocommerce OpenPos?

Upgrade Woocommerce OpenPos to version 6.4.5 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.

Is CVE-2024-37932 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it likely that exploitation attempts will occur.

Where can I find the official Woocommerce advisory for CVE-2024-37932?

Refer to the official Woocommerce security advisory for details: [https://woocommerce.com/security/](https://woocommerce.com/security/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs