Vulnerabilities and security researches forproduct-input-fields-for-woocommerce product-input-fields-for-woocommerce

Jun 06, 2024

CVE, Research URL: CVE-2024-31431
Home page URL: Security reports for Product Input Fields for WooCommerce
Application: Product Input Fields for WooCommerce
Date: Apr 15, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Tyche Softwares Product Input Fields for WooCommerce.This issue affects Product Input Fields for WooCommerce: from n/a through 1.7.0.
Affected versions: max 1.8.0.
Status: vulnerable

CVE, Research URL: 6d407a98979a822c8bdfca6cab2c8ca04b1b4712
Home page URL: Security reports for Product Input Fields for WooCommerce
Application: Product Input Fields for WooCommerce
Date: Aug 03, 2020
Research Description: Product Input Fields for WooCommerce [product-input-fields-for-woocommerce] < 1.2.7 WordPress Product Input Fields for WooCommerce plugin <= 1.2.6 - Unauthenticated Arbitrary File Download vulnerability Unauthenticated Arbitrary File Download vulnerability discovered by NinTechNet in WordPress Product Input Fields for WooCommerce plugin (versions <= 1.2.6).
Affected versions: max 1.2.7.
Status: vulnerable

CVE, Research URL: CVE-2020-36696
Home page URL: Security reports for Product Input Fields for WooCommerce
Application: Product Input Fields for WooCommerce
Date: Jun 07, 2023
Research Description: The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download files from the vulnerable service.
Affected versions: max 1.2.7.
Status: vulnerable

Nov 26, 2024

CVE, Research URL: CVE-2024-10857
Home page URL: Security reports for Product Input Fields for WooCommerce
Application: Product Input Fields for WooCommerce
Date: Nov 26, 2024
Research Description: The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.9 via the handle_downloads() function due to insufficient file path validation/sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected versions: max 2.0.
Status: vulnerable

Mar 09, 2025

CVE, Research URL: CVE-2024-13359
Home page URL: Security reports for Product Input Fields for WooCommerce
Application: Product Input Fields for WooCommerce
Date: Mar 08, 2025
Research Description: The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function in all versions up to, and including, 1.12.0. This may make it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that by default the plugin is only vulnerable to a double extension file upload attack, unless an administrators leaves the accepted file extensions field blank which can make .php file uploads possible. Please note 1.12.2 was mistakenly marked as patched while 1.12.1 was marked as vulnerable for a short period of time, this is not the case and 1.12.1 is fully patched.
Affected versions: max 1.12.2.
Status: vulnerable