PPOM Product Addons and Custom Fields for WooCommerce Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the PPOM Product Addons & Custom Fields for WooCommerce plugin, affecting all versions through 33.0.15. The issue arises from inadequate file type validation in the image cropper feature, which is present in the free version of the plugin but only affects users with the paid version activated. This vulnerability allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability could allow for arbitrary file uploads, with the potential for remote code execution, depending on the nature of the uploaded files.

Reproduction

The vulnerability can be reproduced by uploading a file through the image cropper feature of the PPOM Product Addons & Custom Fields for WooCommerce plugin, version 33.0.15 or earlier. The uploaded file type is not properly validated, allowing for the introduction of potentially malicious files onto the server.

Remediation

Users are advised to update the PPOM Product Addons & Custom Fields for WooCommerce plugin to version 33.0.16 or a newer patched version.