CVE-2024-8393 is a Local File Inclusion vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement) found in the Woocommerce Blocks – Woolook plugin for WordPress, affecting all versions up to and including 1.7.0. The vulnerability arises from insufficient validation of the 'tab' parameter, which is used in PHP include or require statements. Authenticated attackers with Administrator-level access or higher can manipulate this parameter to include arbitrary files from the server filesystem, potentially executing malicious PHP code. This can be exploited to bypass access controls, extract sensitive information, or achieve remote code execution. The vulnerability can also be exploited via Cross-Site Request Forgery (CSRF), enabling attackers to trigger the inclusion without direct user interaction once the victim is authenticated. The CVSS 3.1 base score is 6.6, indicating a medium severity due to the requirement of high privileges and attack complexity. While no public exploits are currently known, the vulnerability poses a serious risk to affected WordPress sites, especially those with multiple administrators or where CSRF protections are weak or absent. The lack of a patch at the time of reporting increases the urgency for mitigation.

The impact of CVE-2024-8393 is significant for organizations using the Woocommerce Blocks – Woolook plugin on WordPress. Successful exploitation can lead to arbitrary code execution on the web server, allowing attackers to fully compromise the affected system. This includes the ability to bypass access controls, steal sensitive data such as customer information and credentials, and potentially pivot to other internal systems. The vulnerability requires administrator-level access, so the initial compromise vector may involve credential theft or insider threats. The ability to exploit via CSRF increases the risk by enabling remote exploitation without direct attacker interaction. Organizations running e-commerce sites with this plugin face risks of data breaches, service disruption, and reputational damage. The medium CVSS score reflects the balance between the high impact of code execution and the high privileges required, but the real-world risk depends on the security posture and user access controls of the affected sites.

To mitigate CVE-2024-8393, organizations should immediately upgrade the Woocommerce Blocks – Woolook plugin to a patched version once available. Until a patch is released, restrict administrator access to trusted users only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Implement strict CSRF protections on the WordPress site to prevent unauthorized requests from triggering the vulnerability. Review and harden file upload and inclusion mechanisms, ensuring only safe file types are accepted and that user input is properly sanitized and validated. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the 'tab' parameter. Regularly audit administrator activity and monitor logs for unusual file inclusion attempts. Additionally, consider isolating the WordPress environment and limiting file system permissions to minimize the impact of potential exploitation.