Main Vulnerability Database Vulnerabilities #VU31166

Path traversal in WooCommerce - CVE-2018-20714

Published: January 15, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU31166

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-20714

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: WooCommerce

Affected software:
WooCommerce

Detailed vulnerability description

The vulnerability allows a remote authenticated user to #BASIC_IMPACT#.

The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin.

How to mitigate CVE-2018-20714

Install update from vendor's website.

Sources

https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/

Path traversal in WooCommerce - CVE-2018-20714

Detailed vulnerability description

How to mitigate CVE-2018-20714

Sources

Please verify you're human