← back
CVE-2024-13638

Order Attachments for WooCommerce <= 2.5.1 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

CVSS 5.9 MEDIUMEPSS 0.4%CWE-200
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.9EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
28 Feb 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Order Attachments for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments added to orders.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
sldesignpl · Order Attachments for WooCommerce

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://plugins.trac.wordpress.org/browser/order-attachments-for-woocommerce/trunk/src/WCOA/Attachments/Attachment.php#L87https://plugins.trac.wordpress.org/browser/order-attachments-for-woocommerce/trunk/src/WCOA/Utils/Ajax.php#L61https://www.wordfence.com/threat-intel/vulnerabilities/id/7e98b1ef-70dd-408d-8644-08933bca1cdd?source=cve