Platform
wordpress
Component
woocommerce-pdf-vouchers
Fixed in
4.9.5
CVE-2024-39651 describes an Arbitrary File Access vulnerability within the WooCommerce PDF Vouchers plugin. This flaw allows attackers to manipulate files on the server, potentially leading to unauthorized access and data compromise. The vulnerability impacts versions of WooCommerce PDF Vouchers prior to 4.9.5, and a patch has been released to address the issue.
The Arbitrary File Access vulnerability allows an attacker to read or write files outside of the intended directory. This could lead to the exposure of sensitive configuration files, database credentials, or even the execution of arbitrary code if the attacker can upload and execute a malicious file. Successful exploitation could result in complete server compromise and data theft. The impact is particularly severe given the plugin's common use for managing and distributing vouchers, which often contain customer data and payment information.
This vulnerability was publicly disclosed on 2024-08-13. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the plugin's popularity suggest a high probability of exploitation. Monitor WordPress installations for unauthorized file modifications and unusual file access patterns. No KEV listing at the time of writing.
Exploit Status
EPSS
0.31% (54% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade WooCommerce PDF Vouchers to version 4.9.5 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., '../'). Additionally, restrict file upload permissions within the WordPress environment to prevent attackers from uploading malicious files. Regularly review file system permissions and ensure that the web server user has minimal necessary access.
Actualice el plugin WooCommerce PDF Vouchers a la versión 4.9.5 o superior. Esta actualización corrige la vulnerabilidad de eliminación arbitraria de archivos. Para actualizar, vaya a la sección de plugins en su panel de administración de WordPress y busque la actualización disponible.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-39651 is a HIGH severity vulnerability allowing attackers to manipulate files in WooCommerce PDF Vouchers versions ≤4.9.5, potentially leading to data exposure and server compromise.
You are affected if you are using WooCommerce PDF Vouchers version 4.9.5 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade WooCommerce PDF Vouchers to version 4.9.5 or later. Consider implementing WAF rules and restricting file upload permissions as temporary mitigations.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation. Continuous monitoring is recommended.
Refer to the WooCommerce PDF Vouchers plugin documentation and the WPWeb website for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.