CVE-2024-13355: CWE-434 Unrestricted Upload of File with Dangerous Type in nmedia Admin and Customer Messages After Order for WooCommerce: OrderConvo
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.
AI Analysis
Technical Summary
CVE-2024-13355 is a CWE-434 vulnerability in the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress. It arises from insufficient validation of file types in the upload_file() function, allowing authenticated users with low privileges (Subscriber-level and above) to upload potentially dangerous files. This can enable remote code execution and confirmed cross-site scripting attacks. The vulnerability affects all versions up to 13.2. The CVSS 3.1 base score is 5.4, reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, scope changed, and low confidentiality and integrity impact with no availability impact.
Potential Impact
Authenticated attackers with Subscriber-level access or higher can upload files to the affected WordPress site, potentially enabling remote code execution and cross-site scripting attacks. This compromises the confidentiality and integrity of the site and its users. There is no indication of availability impact. No known exploits are currently reported in the wild.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict user permissions to prevent untrusted users from uploading files and monitor for suspicious file uploads related to this plugin.
CVE-2024-13355: CWE-434 Unrestricted Upload of File with Dangerous Type in nmedia Admin and Customer Messages After Order for WooCommerce: OrderConvo
Description
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-13355 is a CWE-434 vulnerability in the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress. It arises from insufficient validation of file types in the upload_file() function, allowing authenticated users with low privileges (Subscriber-level and above) to upload potentially dangerous files. This can enable remote code execution and confirmed cross-site scripting attacks. The vulnerability affects all versions up to 13.2. The CVSS 3.1 base score is 5.4, reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, scope changed, and low confidentiality and integrity impact with no availability impact.
Potential Impact
Authenticated attackers with Subscriber-level access or higher can upload files to the affected WordPress site, potentially enabling remote code execution and cross-site scripting attacks. This compromises the confidentiality and integrity of the site and its users. There is no indication of availability impact. No known exploits are currently reported in the wild.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict user permissions to prevent untrusted users from uploading files and monitor for suspicious file uploads related to this plugin.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-13T15:44:42.032Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e51b7ef31ef0b59e273
Added to database: 2/25/2026, 9:49:05 PM
Last enriched: 4/9/2026, 1:00:39 PM
Last updated: 4/12/2026, 10:28:03 AM
Views: 25
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.