WordPress Plugin Vulnerabilities

WooCommerce Checkout Field Manager < 18.0 - Unauthenticated Arbitrary File Upload

Description

The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server

Proof of Concept

Affects Plugins

Plugin icon
n-media-woocommerce-checkout-fields
Fixed in 18.0

References

CVE
CVE-2022-4328

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
4dc72cd2-81d7-4a66-86bd-c9cfaf690eed

Timeline

Publicly Published
2023-02-13 (about 2 years ago)
Added
2023-02-13 (about 2 years ago)
Last Updated
2023-03-06 (about 2 years ago)

Other

Published
Title
Published
2021-06-24
Title
ZoomSounds < 6.05 - Unauthenticated Arbitrary File Upload
Published
2025-04-01
Title
Front-End-Only-Users < 3.2.33 - Unauthenticated Arbitrary File Upload
Published
2025-06-04
Title
WP User Frontend Pro < 4.1.4 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2014-08-01
Title
Cimy User Extra Fields - Arbitrary File Upload
Published
2023-12-18
Title
Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload