NuytsTech Security

CVE-2023-6979

by ·

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ivole_import_upload_csv AJAX action in all versions up to, and including, 5.38.9. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Date published : 2024-01-11

https://drive.proton.me/urls/K4R2HDQBS0#iuTPm3NqZEdz

https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/includes/import-export/class-cr-reviews-importer.php#L35

Tags: