CVE-2018-20714: Path Traversal
First published: Tue Jan 15 2019(Updated: )
The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Woocommerce Woocommerce | <3.4.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2018-20714.
What is the vulnerability in the Automattic WooCommerce plugin?
The vulnerability is a File Deletion vulnerability in the logging system of the Automattic WooCommerce plugin.
How does the vulnerability in the Automattic WooCommerce plugin work?
The vulnerability allows deletion of woocommerce.php, which can lead to certain privilege checks not being in place, allowing a shop manager to escalate privileges to admin.
What is the severity of CVE-2018-20714?
The severity of CVE-2018-20714 is high with a CVSS score of 8.1.
How do I fix the vulnerability in the Automattic WooCommerce plugin?
To fix the vulnerability, upgrade to version 3.4.6 or higher of the Automattic WooCommerce plugin for WordPress.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/woocommerce
- canonical/woocommerce woocommerce