WebToffee Order Export & Order Import for WooCommerce
Moderate fix1 remedy
cpe:2.3:a:webtoffee:order_export_&_order_import_for_woocommerce:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.6.0
Order Export & Order Import for WooCommerce Arbitrary File Deletion Vulnerability
Vulnerability
Patched
A vulnerability allowing authenticated users with Administrator-level access to delete arbitrary log files on the server has been identified in the Order Export & Order Import for WooCommerce plugin, in all versions through 2.6.0. This issue arises from inadequate validation of file paths in the admin_log_page() function, which could be exploited to perform unauthorized file deletions.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of log files on the server.
Reproduction
The vulnerability can be reproduced by an authenticated user with Administrator privileges. When the 'Import Logs' page is accessed, the 'wt_iew_delete_log' parameter can be set to initiate a delete action. If the 'wt_iew_log_file' parameter specifies a log file with a '.log' extension, the corresponding log file will be deleted from the server, bypassing any necessary path validations.
Remediation
Users are advised to update the Order Export & Order Import for WooCommerce plugin to version 2.6.1 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
0.0exploitability
6.0remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.