A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 04:14
Type | Values Removed | Values Added |
---|---|---|
References | () https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html - Third Party Advisory | |
References | () https://wordpress.org/plugins/woocommerce-products-filter/#developers - Release Notes | |
References | () https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/ - Vendor Advisory |
Information
Published : 2018-03-14 19:29
Updated : 2024-11-21 04:14
NVD link : CVE-2018-8710
Mitre link : CVE-2018-8710
CVE.ORG link : CVE-2018-8710
JSON object : View
Products Affected
woocommerce-filter
- woocommerce_products_filter
CWE
CWE-287
Improper Authentication