WordPress Plugin Vulnerabilities

Woocommerce OpenPos < 7.0.1 - Unauthenticated Arbitrary File Deletion

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in a function, allowing unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Plugin icon
woocommerce-openpos
Fixed in 7.0.1

References

CVE
CVE-2024-37932
URL
https://patchstack.com/database/vulnerability/woocommerce-openpos/wordpress-woocommerce-openpos-plugin-6-4-4-unauthenticated-arbitrary-file-deletion-vulnerability

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.1 (critical)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
cff158ee-51ec-4c36-8677-608bc18f8eeb

Timeline

Publicly Published
2024-07-09 (about 1 year ago)
Added
2024-07-15 (about 1 year ago)
Last Updated
2024-08-16 (about 1 year ago)

Other

Published
Title
Published
2023-04-18
Title
YARPP - Yet Another Related Posts Plugin < 5.30.5 - Subscriber+ LFI
Published
2024-08-27
Title
Funnelforms Free < 3.7.4.1 - Authenticated (Administrator+) Arbitrary File Deletion
Published
2021-06-23
Title
WP Image Zoom < 1.47 - Local File Inclusion
Published
2025-02-02
Title
Plugin A/B Image Optimizer <= 3.3 - Authenticated (Subscriber+) Arbitrary File Download
Published
2025-04-07
Title
Nomupay Payment Processing Gateway < 7.1.6 - Authenticated (Subscriber+) Arbitrary File Download