Description

WordPress Plugin WooCommerce Products Filter is prone to multiple vulnerabilities, including local file inclusion and arbitrary code execution vulnerabilities. Exploiting these issues may allow an attacker to obtain sensitive information that could aid in further attacks, or to execute arbitrary commands with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data or to compromise a vulnerable system. WordPress Plugin WooCommerce Products Filter version 1.1.9 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.2.0 or latest

References

http://wphutte.com/woocommerce-products-filter-v1-1-9-arbitrary-local-file-include/

https://www.sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html

https://packetstormsecurity.com/files/146765/WOOF-WooCommerce-Products-Filter-1.1.9-LFI-Code-Execution.html

https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/

Related Vulnerabilities

WordPress 4.3.x Multiple Vulnerabilities (4.3 - 4.3.4)

WordPress Plugin AdRoll for WooCommerce Stores Unspecified Vulnerability (2.2.5)

Joomla! Core 3.x.x Cross-Site Scripting (3.1.2 - 3.2.2)

WordPress Plugin Chatbot with IBM Watson Cross-Site Scripting (0.8.20)

WordPress Plugin Support Board-Chat And Help Desk Cross-Site Scripting (1.2.8)

Severity

High

Classification

CVE-2018-8710 CVE-2018-8711 CWE-22 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Tags

Missing Update