cleantalk
Vulnerabilities and Security Researches

Product Addons & Fields for WooCommerce, CVE-2024-3962

CVE, Research URL

CVE-2024-3962

Home page URL

Security reports for Product Addons & Fields for WooCommerce

Application

Product Addons & Fields for WooCommerce

Published on
Apr 26, 2024
Research Description
The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires the PPOM Pro plugin to be installed along with a WooCommerce product that contains a file upload field to retrieve the correct nonce.
Affected versions
max 32.0.19.
Status
vulnerable
Previous vulnerability researches
Product Addons & Fields for WooCommerce (CVE-2025-24668) , Jan 26, 2025
Product Addons & Fields for WooCommerce (CVE-2025-11691) , Nov 10, 2025
Product Addons & Fields for WooCommerce (CVE-2025-11391) , Nov 10, 2025
Product Addons & Fields for WooCommerce (CVE-2019-14948) , Jun 07, 2024
Product Addons & Fields for WooCommerce (CVE-2024-3962) , Jun 07, 2024
New vulnerability
WPC Smart Messages for WooCommerce (CVE-2025-62903) , Nov 11, 2025
Popular Posts by Webline (CVE-2025-62900) , Nov 11, 2025
Simple Youtube Shortcode (CVE-2025-11811) , Nov 11, 2025
Open Currency Converter (CVE-2025-62939) , Nov 11, 2025
Cookie Notice & Consent (CVE-2025-10496) , Nov 11, 2025