Woocommerce Category and Products Accordion Panel Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Woocommerce Category and Products Accordion Panel plugin for WordPress, affecting all versions through 1.0. The vulnerability arises in the 'categoryaccordionpanel' shortcode, allowing authenticated attackers with Contributor-level access and above to include and execute arbitrary .php files on the server. This exploitation could bypass access controls, access sensitive data, or execute code in scenarios where .php files can be uploaded and included.

Impact

Exploitation of this vulnerability could lead to unauthorized file inclusion, allowing execution of malicious PHP code on the server. This could be used to bypass access controls, access sensitive information, or achieve remote code execution, particularly in cases where uploaded .php files can be included and executed.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the 'categoryaccordionpanel' shortcode. This will trigger the local file inclusion vulnerability, allowing the user to include and execute arbitrary .php files on the server.

Remediation

No known patch is available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.