The Product Input Fields for WooCommerce plugin, widely used in WordPress e-commerce sites, suffers from a critical file upload vulnerability identified as CVE-2024-13359. The root cause lies in the add_product_input_fields_to_order_item_meta() function, which fails to adequately validate file types during uploads. This allows unauthenticated attackers to upload arbitrary files, including potentially malicious scripts. By default, the plugin restricts direct .php uploads, but attackers can exploit double extension techniques (e.g., file.php.jpg) to bypass these checks. If an administrator misconfigures the accepted file extensions by leaving the field blank, direct .php file uploads become possible, significantly increasing risk. Successful exploitation can lead to remote code execution on the server, compromising the entire website and backend systems. The vulnerability affects all versions up to and including 1.12.0. Although version 1.12.2 was mistakenly marked as patched, the correct patched version is 1.12.1. The CVSS v3.1 score is 8.1, reflecting high impact on confidentiality, integrity, and availability with no authentication or user interaction required, but with a high attack complexity. No known exploits have been reported in the wild yet, but the potential for severe damage is substantial given the plugin’s widespread use in WooCommerce environments.

This vulnerability can have severe consequences for organizations using the affected plugin. An attacker could upload malicious files leading to remote code execution, enabling full compromise of the web server. This can result in data theft, website defacement, insertion of backdoors, pivoting to internal networks, and disruption of e-commerce operations. The confidentiality of customer data and payment information could be breached, damaging reputation and leading to regulatory penalties. The integrity of the website content and transactional data can be undermined, and availability may be impacted by denial-of-service conditions caused by malicious payloads. Since the vulnerability requires no authentication or user interaction, it is highly exploitable remotely, increasing the risk of widespread attacks. Organizations relying on WooCommerce for online sales are particularly at risk, as attackers may target these sites for financial gain or to leverage compromised infrastructure for further attacks.

Organizations should immediately verify the version of the Product Input Fields for WooCommerce plugin and upgrade to version 1.12.1 or later, which contains the fix. Administrators must ensure that the accepted file extensions field is never left blank to prevent direct upload of dangerous file types like .php. Implement strict server-side validation of uploaded files, including MIME type checks and file content inspection, beyond relying solely on file extensions. Employ web application firewalls (WAFs) with rules to detect and block suspicious file upload patterns, including double extensions. Restrict file upload directories with appropriate permissions and disable execution rights on upload folders to prevent execution of uploaded scripts. Regularly audit and monitor upload directories for unauthorized files. Additionally, maintain up-to-date backups and have incident response plans ready in case of compromise. Educate administrators on secure plugin configuration and the risks of improper file upload settings.