WordPress Plugin Vulnerabilities

Management App for WooCommerce < 1.2.3 - Subscriber+ Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the nouvello_upload_csv_file function. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
wemanage-app-worker
Fixed in 1.2.3

References

CVE
CVE-2024-1205
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a4219c10-9d2a-429d-9ac7-61efc02bd4cf

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
3ff36d7f-9763-43c4-9e18-f14146bdc921

Timeline

Publicly Published
2024-03-19 (about 2 years ago)
Added
2024-03-19 (about 2 years ago)
Last Updated
2024-04-01 (about 2 years ago)

Other

Published
Title
Published
2024-11-13
Title
CF7 Reply Manager <= 1.2.3 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2026-04-21
Title
GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content < 1.2.3 - Unauthenticated Arbitrary File Upload
Published
2025-12-19
Title
File Uploader for WooCommerce < 1.0.4 - Unauthenticated Arbitrary File Upload via add-image-data
Published
2014-08-01
Title
WP Marketplace 1.5.0-1.6.1 - Arbitrary File Upload
Published
2024-11-13
Title
CDI < 5.5.6 - Authenticated (Shop Manager+) Arbitrary File Upload