Description The plugin doesn’t validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file.
As an admin, open the following URL https://example.com/wp-admin/admin.php?page=woo-orders-tracking-import-csv&step;=mapping&file;_url=/etc/passwd Change the file_url parameter to a file on the web server and observe that the plugin will display the first line of the file in each of the “Column name” dropdowns.