Description

WordPress Plugin WOOF-Products Filter for WooCommerce is prone to multiple vulnerabilities, including local file inclusion and arbitrary code execution vulnerabilities. Exploiting these issues may allow an attacker to obtain sensitive information that could aid in further attacks, or to execute arbitrary commands with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data or to compromise a vulnerable system. WordPress Plugin WOOF-Products Filter for WooCommerce version 1.1.9 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.2.0 or latest

References

http://wphutte.com/woocommerce-products-filter-v1-1-9-arbitrary-local-file-include/

https://www.sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html

https://packetstormsecurity.com/files/146765/WOOF-WooCommerce-Products-Filter-1.1.9-LFI-Code-Execution.html

https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/

Related Vulnerabilities

Chamilo Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-4029)

WordPress Plugin User Login Log Cross-Site Scripting (2.2.2)

WordPress Plugin WP Gravity Forms Zoho CRM Add-on Cross-Site Scripting (1.1.5)

WordPress 4.7.x Denial of Service Vulnerability (4.7 - 4.7.9)

Perl Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2018-18314)

Severity

High

Classification

CVE-2018-8710 CVE-2018-8711 CWE-22 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update