7.5

CVE-2024-13638

EPSS 0.23%
Veröffentlicht 28.02.2025 09:15:10
Zuletzt bearbeitet 06.03.2025 16:36:54
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Order Attachments for WooCommerce <= 2.5.1 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

The Order Attachments for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments added to orders.

Mögliche Gegenmaßnahme

Order Attachments for WooCommerce: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Order Attachments for WooCommerce

Version *-2.5.1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Directsoftware ≫ Order Attachments For Woocommerce SwPlatformwordpress Version <= 2.5.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.46

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security@wordfence.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://plugins.trac.wordpress.org/browser/order-attachments-for-woocommerce/trunk/src/WCOA/Attachments/Attachment.php#L87

Product

https://plugins.trac.wordpress.org/browser/order-attachments-for-woocommerce/trunk/src/WCOA/Utils/Ajax.php#L61

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/7e98b1ef-70dd-408d-8644-08933bca1cdd?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/7e98b1ef-70dd-408d-8644-08933bca1cdd

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-13638

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-13638

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-13638

EUVD