Description
WordPress Plugin Woocommerce CSV importer is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to delete arbitrary files in the context of the webserver process. WordPress Plugin Woocommerce CSV importer version 3.3.6 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 3.4.0 or latest
References
http://lenonleite.com.br/en/publish-exploits/plugin-woocommerce-csv-importer-3-3-6-rce-unlink/
https://www.youtube.com/watch?v=By7kT7UbHVk
https://www.exploit-db.com/exploits/44433/
https://plugins.trac.wordpress.org/browser/woocommerce-csvimport/trunk/readme.txt
Related Vulnerabilities
WordPress Plugin WP Subtitle Unspecified Vulnerability (2.5)
WordPress Plugin leads5050-visitor-insights Security Bypass (1.0.5)
WordPress Plugin Media Mirror Cross-Site Scripting (1.0.6)
Jboss EAP Insertion of Sensitive Information into Log File Vulnerability (CVE-2019-10212)
ATutor Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2019-11446)