On February 1st, 2024, during our Bug Bounty Extravaganza, we received a submission for an Arbitrary File Upload vulnerability in Management App for WooCommerce, a WordPress plugin with 1,000+ active installations. This vulnerability makes it possible for authenticated users such as subscribers and customers to upload arbitrary files to a vulnerable site and achieve remote code execution. Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $657.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure. Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 2, 2024. Sites using the free version of Wordfence received the same protection on March 3, 2024. We contacted the WEmanage Team on February 2, 2024. After not receiving a reply we escalated the issue to the WordPress.org Security Team on March 8, 2024. After that, the developer released a patch on March 24, 2024. We urge users to update their sites with the latest patched version of Management App for WooCommerce,…Read More
References
Back to Main