Cyber Resilience

CVE-2024-13359

High

Published: 08 March 2025

Published
08 March 2025
Modified
13 March 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0117 79.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13359 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Tychesoftwares Product Input Fields For Woocommerce. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13359 is an arbitrary file upload vulnerability in the Product Input Fields for WooCommerce plugin for WordPress, affecting all versions up to and including 1.12.0. The issue stems from insufficient file type validation in the add_product_input_fields_to_order_item_meta() function, which enables attackers to upload arbitrary files to the affected site's server. This flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit the vulnerability over the network with high attack complexity and no privileges required. By default, exploitation is limited to double extension file upload attacks, but if an administrator leaves the accepted file extensions field blank, direct uploads of .php files become feasible, potentially leading to remote code execution on the server.

Advisories recommend updating to version 1.12.1 or later for mitigation, as 1.12.1 fully patches the vulnerability despite a brief period where it was mistakenly marked as vulnerable and 1.12.2 as patched. Relevant resources include the Wordfence threat intelligence report and WordPress plugin trac changesets (e.g., revisions 3234567 and 3250201) detailing the code fixes in class-alg-wc-pif-main.php.

EU & UK References

Vulnerability details

The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function in all versions up to, and including, 1.12.0. This may make it possible for unauthenticated…

more

attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that by default the plugin is only vulnerable to a double extension file upload attack, unless an administrators leaves the accepted file extensions field blank which can make .php file uploads possible. Please note 1.12.2 was mistakenly marked as patched while 1.12.1 was marked as vulnerable for a short period of time, this is not the case and 1.12.1 is fully patched.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and deployment of web shells for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-8425Same product class: WordPress / CMS plugin
CVE-2025-7340Same product class: WordPress / CMS plugin
CVE-2024-13342Same product class: WordPress / CMS plugin
CVE-2025-1661Same product class: WordPress / CMS plugin
CVE-2024-13545Same product class: WordPress / CMS plugin
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434

Affected Assets

tychesoftwares
product input fields for woocommerce
≤ 1.12.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces proper validation of file types and content in product input fields, countering the insufficient file type validation that enables arbitrary file uploads.

prevent

Mandates timely identification, reporting, and patching of the specific flaw in the WooCommerce plugin versions up to 1.12.0, as recommended by advisories.

prevent

Restricts information inputs such as uploaded files to only approved safe extensions, preventing double-extension bypasses and direct PHP uploads.

References