Order Export & Order Import for WooCommerce < 2.4.4 – Shop Manager+ Arbitrary File Upload | CVE 2024-22135 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the upload_import_file function in all versions up to, and including, 2.4.3. This makes it possible for authenticated attackers, with shop manager-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

order-import-export-for-woocommerce

Fixed in 2.4.4

References

CVE

URL

https://patchstack.com/database/vulnerability/order-import-export-for-woocommerce/wordpress-order-export-order-import-for-woocommerce-plugin-2-4-3-arbitrary-file-upload-vulnerability

Miscellaneous

Original Researcher

Dateoljo of BoB 12th

Verified

Yes

WPVDB ID

4f22ccfc-b51d-4561-bc09-0247c2795ccb

Timeline

Publicly Published

2024-01-10 (about 2 years ago)

Added

2024-01-17 (about 2 years ago)

Last Updated

2024-01-17 (about 2 years ago)

Other

Published

Title

Published

2025-05-16

Title

Printcart Web to Print Product Designer for WooCommerce < 2.4.0 - Unauthenticated Arbitrary File Upload

Published

2021-04-02

Title

Business Hours Pro <= 5.5.0 - Unauthenticated Arbitrary File Upload to RCE

Published

2024-06-18

Title

Squeeze < 1.4.1 - Authenticated (Admin+) Arbitrary File Upload

Published

2025-11-26

Title

Blubrry PowerPress < 11.15.3 - Authenticated (Contributor+) Arbitrary File Upload via 'powerpress_edit_post'

Published

2025-09-17

Title

Medcity < 1.1.9 - Unauthenticated Arbitrary File Upload