cleantalk
Vulnerabilities and Security Researches

Order Attachments for WooCommerce, CVE-2024-9756

CVE, Research URL

CVE-2024-9756

Home page URL

Security reports for Order Attachments for WooCommerce

Application

Order Attachments for WooCommerce

Published on
Oct 12, 2024
Research Description
The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoa_add_attachment AJAX action in versions 2.0 to 2.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload limited file types.
Affected versions
Min -, max 2.5.0.
Status
vulnerable
Previous vulnerability researches
Order Attachments for WooCommerce (CVE-2024-9756) , Oct 13, 2024
Order Attachments for WooCommerce (CVE-2024-13638) , Mar 01, 2025
New vulnerability
SMS Alert Order Notifications – WooCommerce (CVE-2025-3876) , May 11, 2025
SMS Alert Order Notifications – WooCommerce (CVE-2025-3878) , May 11, 2025
WordPress Review Plugin: The Ultimate Solution for Building a Review Website (CVE-2025-2158) , May 11, 2025
Drag and Drop Multiple File Upload for WooCommerce (CVE-2025-4403) , May 11, 2025
Contact Us By Lord Linus (CVE-2025-1382) , May 11, 2025