Vulnerabilities and security researches fororder-attachments-for-woocommerce order-attachments-for-woocommerce

Oct 13, 2024

CVE, Research URL: CVE-2024-9756
Home page URL: Security reports for Order Attachments for WooCommerce
Application: Order Attachments for WooCommerce
Date: Oct 12, 2024
Research Description: The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoa_add_attachment AJAX action in versions 2.0 to 2.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload limited file types.
Affected versions: Min -, max -.
Status: vulnerable

Mar 01, 2025

CVE, Research URL: CVE-2024-13638
Home page URL: Security reports for Order Attachments for WooCommerce
Application: Order Attachments for WooCommerce
Date: Feb 28, 2025
Research Description: The Order Attachments for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments added to orders.
Affected versions: Min -, max -.
Status: vulnerable