A vulnerability was discovered in the WooCommerce Stock Manager plugin that is installed on 30,000+ sites. The Wordfence Threat Intelligence team started the responsible disclosure process on May 21, 2021.
An attacker can exploit this vulnerability by tricking the website’s administrator into performing a poorly designed action, such as clicking on a link, so that they can upload arbitrary files to the site.
This WooCommerce Stock Manager plugin enhances WooCommerce by making it possible for site owners to manage stock and details of all the products on an e-commerce site from one place. This plugin allows for the export and import of products. It was possible to forge requests for this functionality in order to upload arbitrary files by faking an administrator’s identity.
This vulnerability is rated as ‘High‘ on Patchstack (8.8)
On May 21, 2021, the Wordfence team contacted the plugin’s developer. A patch was released in version 2.6.0 on May 28, 2021.
Plugin users are highly recommended to update to the latest patched version available, 2.6.0, immediately.
Source: Wordfence Blog.