CVE-2024-13622
Published: 18 February 2025
Description
The File Uploads Addon for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments uploaded by customers.
Security Summary
CVE-2024-13622 is a sensitive information exposure vulnerability (CWE-200) in the File Uploads Addon for WooCommerce plugin for WordPress, affecting all versions up to and including 1.7.1. The flaw occurs via the 'uploads' directory, where sensitive data is stored insecurely in the /wp-content/uploads directory, which can contain file attachments uploaded by customers.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required, earning it a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation enables attackers to extract the sensitive data from the uploads directory.
Advisories and related resources, including Wordfence threat intelligence and WordPress plugin trac entries, provide code references to affected files such as class-wau-front-end.php and woocommerce-addon-uploads.php, along with a specific changeset detailing changes in the woo-addon-uploads repository. Security practitioners should consult these for patch details and mitigation guidance.
Details
- CWE(s)