Product Import Export for WooCommerce < 2.3.8 – Shop Manager+ Arbitrary File Upload via upload_import_file | CVE 2024-22152 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_import_file' function n all versions up to, and including, 2.3.7. This makes it possible for authenticated attackers, with Shop Manager access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

product-import-export-for-woo

Fixed in 2.3.8

References

CVE

URL

https://patchstack.com/database/vulnerability/product-import-export-for-woo/wordpress-product-import-export-for-woocommerce-plugin-2-3-7-arbitrary-file-upload-vulnerability

Miscellaneous

Original Researcher

Dateoljo of BoB 12th

Verified

No

WPVDB ID

f2c73254-9d71-4cc1-b843-d2d2f4050c1e

Timeline

Publicly Published

2024-01-16 (about 2 years ago)

Added

2024-01-20 (about 2 years ago)

Last Updated

2024-01-20 (about 2 years ago)

Other

Published

Title

Published

2021-09-01

Title

Secure File Manager <= 2.9.3 - Admin+ RCE

Published

2018-10-15

Title

Tajer - Unauthenticated Arbitrary File Upload

Published

2026-03-16

Title

Unlimited Elements for Elementor (Premium) <= 1.4.72 - Authenticated (Contributor+) Arbitrary File Upload

Published

2025-06-27

Title

File Manager Plugin For Wordpress <= 7.5 - Authenticated (Admin+) Arbitrary File Upload

Published

2024-04-10

Title

Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE < 2.6.9 - Author+ Stored XSS via SVG Upload