CVE-2024-35658

2024-06-1016:15:15

CWE-22

[email protected]

web.nvd.nist.gov

vulnerability

functionality misuse

file manipulation

woocommerce

themehigh

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

8.6 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.1%

JSON

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in ThemeHigh Checkout Field Editor for WooCommerce (Pro) allows Functionality Misuse, File Manipulation.This issue affects Checkout Field Editor for WooCommerce (Pro): from n/a through 3.6.2.

Affected configurations

Vulners

NVD

Node

themehighcheckout_field_editor_for_woocommerceRange≤3.6.2

CPENameOperatorVersion
themehigh:checkout_field_editor_for_woocommercethemehigh checkout field editor for woocommercelt3.6.3

CPE	Name	Operator	Version
themehigh:checkout_field_editor_for_woocommerce	themehigh checkout field editor for woocommerce	lt	3.6.3

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Checkout Field Editor for WooCommerce (Pro)",
    "vendor": "ThemeHigh",
    "versions": [
      {
        "changes": [
          {
            "at": "3.6.3",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.6.2",
        "status": "affected",
        "version": "n/a",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/woocommerce-checkout-field-editor-pro/wordpress-checkout-field-editor-for-woocommerce-pro-plugin-3-6-2-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve