Dropshipping & Affiliation with Amazon <= 2.1.2 – Authenticated (Subscriber+) Arbitrary File Upload | CVE 2023-31215 | Plugin Vulnerabilities

Description

The Dropshipping & Affiliation with Amazon plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on files imported from a URL via the wpas_import_product_from_amazon() function called via an AJAX action in versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/17240c75-4e2a-45d2-8114-414c7e81af87

Miscellaneous

Original Researcher

spacecroupier

Verified

No

WPVDB ID

61c13821-b155-46fa-893f-169165a99149

Timeline

Publicly Published

2023-10-03 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-02 (about 2 years ago)

Other

Published

Title

Published

2015-02-12

Title

Photo Gallery <= 1.2.5 - Unrestricted File Upload

Published

2014-08-01

Title

Rich Widget - File Upload

Published

2014-08-01

Title

Xerte Online <= 0.35 - File Upload

Published

2025-09-29

Title

Qyrr – simply and modern QR-Code creation < 2.0.8 - Authenticated (Contributor+) Arbitrary File Upload

Published

2024-10-04

Title

Hash Form - Drag & Drop Form Builder < 1.2.0 - Unauthenticated Limited File Upload