CVE-2024-50509
Published: 30 October 2024
Summary
CVE-2024-50509 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a path traversal flaw, tracked as CWE-22, in the WooCommerce Product Design plugin for WordPress. It affects all versions through 1.0.0 and allows improper pathname limitation that can be abused to reach restricted directories.
An unauthenticated attacker can send crafted requests over the network to trigger the flaw, resulting in arbitrary file deletion and a high impact on availability. The CVSS 8.6 score reflects that the attack requires no credentials or user interaction and changes scope beyond the vulnerable component.
The Patchstack advisory for this issue identifies the problem as an arbitrary file deletion vulnerability and directs administrators to apply the vendor patch or remove the plugin until a fix is installed. The current EPSS of 0.2865 indicates moderate exploitation likelihood but shows no material upward trajectory since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44932
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan Khandla Woocommerce Product Design woo-product-design allows Path Traversal.This issue affects Woocommerce Product Design: from n/a through <= 1.0.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.