WebToffee Product Import Export for WooCommerce
Moderate fix1 remedy
cpe:2.3:a:webtoffee:product_import_export_for_woocommerce:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.5.0
Product Import Export for WooCommerce Directory Traversal Vulnerability Allowing Arbitrary File Read
Vulnerability
Patched
A directory traversal vulnerability has been identified in the Product Import Export for WooCommerce - Import Export Product CSV Suite plugin for WordPress, affecting all versions through 2.5.0. The vulnerability arises in the download_file() function, where authenticated attackers with Administrator-level access can exploit the flaw to read arbitrary log files on the server, potentially exposing sensitive information.
Impact
Exploitation of this vulnerability allows authenticated users with Administrator privileges to read sensitive data from arbitrary log files on the server.
Reproduction
The vulnerability can be reproduced by an authenticated user with Administrator access. The user can initiate a log file download through the WordPress admin interface, which triggers the vulnerable download_file() function. This function does not properly validate file paths, allowing for directory traversal attacks that can access sensitive log files outside the intended directory.
Remediation
Users are advised to update the Product Import Export for WooCommerce - Import Export Product CSV Suite plugin to version 2.5.1 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
3.3exploitability
6.0remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.