CVE-2024-10820: WooCommerce Upload Files <= 84.3 - Unauthenticated Arbitrary File Upload
First published: Wed Nov 13 2024(Updated: )
The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Vanquish Woocommerce Upload Files Wordpress | <84.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-10820?
CVE-2024-10820 is classified as a high severity vulnerability due to its potential for arbitrary file uploads.
How do I fix CVE-2024-10820?
To fix CVE-2024-10820, update the WooCommerce Upload Files plugin to version 84.4 or later.
Who is affected by CVE-2024-10820?
CVE-2024-10820 affects all versions of the WooCommerce Upload Files plugin for WordPress up to and including version 84.3.
Can CVE-2024-10820 be exploited by authenticated users?
No, CVE-2024-10820 can be exploited by unauthenticated attackers.
What type of files can be uploaded due to CVE-2024-10820?
Due to CVE-2024-10820, attackers can upload arbitrary files, potentially leading to further exploitation.
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- agent/source
- vendor/vanquish
- canonical/vanquish woocommerce upload files wordpress