CVE-2024-13359
Published: 08 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2024-13359 is an arbitrary file upload vulnerability in the Product Input Fields for WooCommerce plugin for WordPress, affecting all versions up to and including 1.12.0. The issue stems from insufficient file type validation in the add_product_input_fields_to_order_item_meta() function, which enables attackers to upload arbitrary files to the affected site's server. This flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit the vulnerability over the network with high attack complexity and no privileges required. By default, exploitation is limited to double extension file upload attacks, but if an administrator leaves the accepted file extensions field blank, direct uploads of .php files become feasible, potentially leading to remote code execution on the server.
Advisories recommend updating to version 1.12.1 or later for mitigation, as 1.12.1 fully patches the vulnerability despite a brief period where it was mistakenly marked as vulnerable and 1.12.2 as patched. Relevant resources include the Wordfence threat intelligence report and WordPress plugin trac changesets (e.g., revisions 3234567 and 3250201) detailing the code fixes in class-alg-wc-pif-main.php.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary file upload vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and deployment of web shells for RCE (T1505.003).