WordPress Plugin Vulnerabilities

Role Based Pricing for WooCommerce < 1.6.2 - Subscriber+ Arbitrary File Upload

Description

The plugin does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP

Proof of Concept

Affects Plugins

Plugin icon
role-based-pricing-for-woocommerce
Fixed in 1.6.2

References

CVE
CVE-2022-3537

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
696868f7-409d-422d-87f4-92fc6bf6e74e

Timeline

Publicly Published
2022-10-17 (about 3 years ago)
Added
2022-10-17 (about 3 years ago)
Last Updated
2022-10-17 (about 3 years ago)

Other

Published
Title
Published
2026-01-06
Title
Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.9.3 - Unauthenticated Limited Arbitrary File Upload
Published
2025-01-16
Title
user files <= 2.4.2 - Unauthenticated Arbitrary File Upload
Published
2025-09-05
Title
Multi Step Form < 1.7.26 - Authenticated (Admin+) Arbitrary File Upload
Published
2025-09-17
Title
Medcity < 1.1.9 - Unauthenticated Arbitrary File Upload
Published
2025-09-03
Title
Wastia < 1.1.3 - Unauthenticated Arbitrary File Upload