WooCommerce Pickupp Path Traversal Vulnerability Leading to Local File Inclusion

A path traversal vulnerability allowing PHP local file inclusion has been identified in the WooCommerce Pickupp plugin, affecting versions through 2.4.0. This vulnerability arises from improper restrictions on pathname navigation, which could enable malicious actors to include local files from the server and execute them, potentially leading to the exposure of sensitive information such as database credentials.

Impact

Exploitation of this vulnerability could allow for local file inclusion, enabling the inclusion and execution of local files on the server. This could be particularly dangerous if files containing sensitive information, like database credentials, are accessed, as it could lead to a complete takeover of the database, depending on the configuration.

Remediation

Users are advised to update to a version of the WooCommerce Pickupp plugin that is later than 2.4.0. If no such version is available, consider removing the plugin and replacing it with an alternative. Patchstack offers a virtual patch that can be applied until an official fix is available.