Description

WordPress Plugin WooCommerce Products Filter is prone to multiple vulnerabilities, including local file inclusion and arbitrary code execution vulnerabilities. Exploiting these issues may allow an attacker to obtain sensitive information that could aid in further attacks, or to execute arbitrary commands with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data or to compromise a vulnerable system. WordPress Plugin WooCommerce Products Filter version 1.1.9 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.2.0 or latest

References

http://wphutte.com/woocommerce-products-filter-v1-1-9-arbitrary-local-file-include/

https://www.sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html

https://packetstormsecurity.com/files/146765/WOOF-WooCommerce-Products-Filter-1.1.9-LFI-Code-Execution.html

https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/

Related Vulnerabilities

WordPress Plugin Yoast SEO Cross-Site Scripting (5.7.1)

WordPress Plugin DB Backup Directory Traversal (4.5)

WordPress Plugin Contact Form Email Information Disclosure (1.2.66)

PHP HTML entity encoder heap overflow vulnerability

WordPress Plugin WPBook Cross-Site Request Forgery (2.7)

Severity

High

Classification

CVE-2018-8710 CVE-2018-8711 CWE-22 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Tags

Missing Update