CVE-2024-35658 WordPress Checkout Field Editor for WooCommerce (Pro) plugin <= 3.6.2 - Unauthenticated Arbitrary File Deletion vulnerability

2024-06-1015:45:08

CWE-22

Patchstack

www.cve.org

cve-2024-35658

wordpress

woocommerce

path traversal

file deletion

functionality misuse

file manipulation

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

18.1%

JSON

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in ThemeHigh Checkout Field Editor for WooCommerce (Pro) allows Functionality Misuse, File Manipulation.This issue affects Checkout Field Editor for WooCommerce (Pro): from n/a through 3.6.2.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Checkout Field Editor for WooCommerce (Pro)",
    "vendor": "ThemeHigh",
    "versions": [
      {
        "changes": [
          {
            "at": "3.6.3",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.6.2",
        "status": "affected",
        "version": "n/a",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/woocommerce-checkout-field-editor-pro/wordpress-checkout-field-editor-for-woocommerce-pro-plugin-3-6-2-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve