cleantalk
Vulnerabilities and Security Researches

Admin and Customer Messages After Order for WooCommerce: OrderConvo, CVE-2024-13355

CVE, Research URL

CVE-2024-13355

Home page URL

Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo

Application

Admin and Customer Messages After Order for WooCommerce: OrderConvo

Published on
Jan 16, 2025
Research Description
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.
Affected versions
max 13.3.
Status
vulnerable
Previous vulnerability researches
Admin and Customer Messages After Order for WooCommerce: OrderConvo (CVE-2024-13355) , Jan 17, 2025
Admin and Customer Messages After Order for WooCommerce: OrderConvo (CVE-2024-33566) , Jun 07, 2024
Admin and Customer Messages After Order for WooCommerce: OrderConvo (CVE-2025-10162) , Nov 10, 2025
New vulnerability
CoSchedule (CVE-2025-49913) , Nov 11, 2025
Simple Finance Calculator (CVE-2025-60246) , Nov 11, 2025
Smart WeTransfer (CVE-2025-62909) , Nov 11, 2025
百度站长SEO合集(支持百度/神马/Bing/头条推送) (CVE-2025-62977) , Nov 11, 2025
WP jQuery Pager (CVE-2025-10575) , Nov 11, 2025