Orders Tracking for WooCommerce < 1.2.6 - Admin+ Arbitrary File Access/Read

Description The plugin doesn’t validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file.

PoC

As an admin, open the following URL https://example.com/wp-admin/admin.php?page=woo-orders-tracking-import-csv&amp;step;=mapping&amp;file;_url=/etc/passwd Change the file_url parameter to a file on the web server and observe that the plugin will display the first line of the file in each of the “Column name” dropdowns.