CVE-2024-13359
Published: 08 March 2025
Summary
CVE-2024-13359 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Tychesoftwares Product Input Fields For Woocommerce. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces proper validation of file types and content in product input fields, countering the insufficient file type validation that enables arbitrary file uploads.
Mandates timely identification, reporting, and patching of the specific flaw in the WooCommerce plugin versions up to 1.12.0, as recommended by advisories.
Restricts information inputs such as uploaded files to only approved safe extensions, preventing double-extension bypasses and direct PHP uploads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and deployment of web shells for RCE (T1505.003).
NVD Description
The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function in all versions up to, and including, 1.12.0. This may make it possible for unauthenticated…
more
attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that by default the plugin is only vulnerable to a double extension file upload attack, unless an administrators leaves the accepted file extensions field blank which can make .php file uploads possible. Please note 1.12.2 was mistakenly marked as patched while 1.12.1 was marked as vulnerable for a short period of time, this is not the case and 1.12.1 is fully patched.
Deeper analysisAI
CVE-2024-13359 is an arbitrary file upload vulnerability in the Product Input Fields for WooCommerce plugin for WordPress, affecting all versions up to and including 1.12.0. The issue stems from insufficient file type validation in the add_product_input_fields_to_order_item_meta() function, which enables attackers to upload arbitrary files to the affected site's server. This flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit the vulnerability over the network with high attack complexity and no privileges required. By default, exploitation is limited to double extension file upload attacks, but if an administrator leaves the accepted file extensions field blank, direct uploads of .php files become feasible, potentially leading to remote code execution on the server.
Advisories recommend updating to version 1.12.1 or later for mitigation, as 1.12.1 fully patches the vulnerability despite a brief period where it was mistakenly marked as vulnerable and 1.12.2 as patched. Relevant resources include the Wordfence threat intelligence report and WordPress plugin trac changesets (e.g., revisions 3234567 and 3250201) detailing the code fixes in class-alg-wc-pif-main.php.
Details
- CWE(s)