CVE-2024-8425
Published: 28 February 2025
Description
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that this may have been patched on an older version than 2.9.2, however, we do not have access to older versions of the software to confirm when the patch was added. The only patched version we have confirmed is 2.9.3.
Security Summary
CVE-2024-8425 is a critical vulnerability in the WooCommerce Ultimate Gift Card plugin for WordPress, affecting all versions up to and including 2.9.2. It stems from insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions, enabling arbitrary file uploads (CWE-434). Published on 2025-02-28, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this flaw remotely over the network with low complexity and no privileges required. By uploading arbitrary files to the affected WordPress site's server, they may achieve remote code execution, potentially leading to full server compromise.
The vulnerability has been patched in version 2.9.3, though it may have been addressed in an earlier release without confirmation due to lack of access to older versions. Security practitioners should update to at least 2.9.3 and refer to the Wordfence advisory for detailed threat intelligence or the plugin's CodeCanyon page for version history.
Details
- CWE(s)