Woocommerce Blocks - Woolook Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Woocommerce Blocks - Woolook plugin for WordPress, affecting all versions through 1.7.0. The vulnerability arises from improper handling of the 'tab' parameter, allowing authenticated attackers with Administrator-level access to include and execute arbitrary files on the server. This exploitation could be used to bypass access controls, access sensitive information, or execute code in cases where files perceived as safe, such as images, can be uploaded and included. Additionally, this vulnerability can be exploited using Cross-Site Request Forgery (CSRF) techniques.

Impact

Exploitation of this vulnerability could lead to unauthorized file inclusion, allowing execution of arbitrary PHP code on the server. This could be used to bypass access controls, access sensitive data, or achieve code execution through uploaded files.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.