6.5
CVE-2024-10857
- EPSS 1.81%
- Veröffentlicht 26.11.2024 07:15:05
- Zuletzt bearbeitet 09.07.2025 18:47:06
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
Product Input Fields for WooCommerce <= 1.9 - Authenticated (Contributor+) Arbitrary File Read
The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.9 via the handle_downloads() function due to insufficient file path validation/sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Mögliche Gegenmaßnahme
Product Input Fields for WooCommerce: Update to version 2.0, or a newer patched version
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Product Input Fields for WooCommerce
Version
* - 1.9
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tychesoftwares ≫ Product Input Fields For Woocommerce SwPlatformwordpress Version < 2.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.81% | 0.823 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-35 Path Traversal: '.../...//'
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.