Vulnerabilities > CVE-2024-9756 - Missing Authorization vulnerability in Directsoftware Order Attachments for Woocommerce

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

directsoftware

CWE-862

NVD

Published: 2024-10-12

Updated: 2024-11-25

Summary

The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoa_add_attachment AJAX action in versions 2.0 to 2.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload limited file types.

Vulnerable Configurations

Part	Description	Count
Application	Directsoftware Directsoftware Order Attachments FOR Woocommerce 2.0 Directsoftware Order Attachments FOR Woocommerce 2.0.1 Directsoftware Order Attachments FOR Woocommerce 2.1 Directsoftware Order Attachments FOR Woocommerce 2.1.1 Directsoftware Order Attachments FOR Woocommerce 2.2.0 Directsoftware Order Attachments FOR Woocommerce 2.2.1 Directsoftware Order Attachments FOR Woocommerce 2.2.2 Directsoftware Order Attachments FOR Woocommerce 2.3.0 Directsoftware Order Attachments FOR Woocommerce 2.3.1 Directsoftware Order Attachments FOR Woocommerce 2.3.2 Directsoftware Order Attachments FOR Woocommerce 2.4.0 Directsoftware Order Attachments FOR Woocommerce 2.4.1	12

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References