WooCommerce OrderConvo WordPress Plugin Path Traversal Vulnerability Allowing Unauthenticated Arbitrary File Download

A path traversal vulnerability has been identified in the Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin, affecting versions prior to 14. The vulnerability arises because the plugin does not properly validate file paths for downloads, potentially allowing unauthenticated attackers to read or download arbitrary files. Exploitation can be achieved by manipulating the file path to traverse directories and access sensitive files, such as the wp-config.php file.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, which may contain critical information such as database credentials or other private data.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site's REST API endpoint for the WooCommerce OrderConvo plugin, specifically the download-file route. Include an order ID and a crafted filename parameter that exploits the path traversal flaw by navigating up the directory structure to access restricted files. The order ID and filename may need to be adjusted based on the target site's configuration.

Remediation

Users are advised to update the Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin to version 14 or later.