Critical Vulnerability Found in WooCommerce Upload Files

In December, the Wordfence team was notified of a possible 0-day vulnerability in the WooCommerce Upload Files Plugin. This add-on has over 5,000 installations.

This plugin is a seperate plugin from the main WooCommerce plugin and is designed as an add-on to the main WooCommerce plugin.

Wordfence notified the plugins developer back in December and was patched the same day.

WooCommerce Upload Fles is a premium plugin that allows clients to upload images during the checkout process for customised products.

Description: Unauthenticated Arbitrary File Upload
Affected Plugin: WooCommerce Upload Files
Plugin Slug: woocommerce-upload-files
Affected Versions: < 59.4
CVE ID: CVE-2021-24171
CVSS Score: 9.8 (Critical)
Fully Patched Version: 59.4

Timeline of events:

December 29, 2020
08:25 MST – Wordfence Threat Intelligence becomes aware of a potential 0-day in the WooCommerce Upload Files plugin.
09:09 MST – We find the vulnerable code and develop a proof of concept exploit.
09:48 MST – We write a firewall rule to block the exploit and begin testing.
10:36 MST – We initiate contact with the plugin developer.
11:10 MST – The plugin developer responds, and we provide full disclosure.
13:33 MST – The plugin developer releases a patched version.
18:09 MST – Our firewall rule passes final tests and is released to Wordfence Premium customers.

January 28, 2021
The firewall rule becomes available to free Wordfence users.

To stop issues like this Hosted WP suggest looking at service like our WordPress Maintenance services to ensure you are always updated and protected from plugin security issues.

Full information and the technical information can be found at https://www.wordfence.com/blog/2021/03/critical-vulnerability-patched-in-woocommerce-upload-files/