Overview
- Description
- The Ni Purchase Order(PO) For WooCommerce WordPress plugin through 1.2.1 does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell.
- Source
- contact@wpscan.com
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.2
- Impact score
- 5.9
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Weaknesses
- nvd@nist.gov
- CWE-434
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:naziinfotech:ni_purchase_order\\(po\\)_for_woocommerce:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "DB401D2E-23A7-4A3F-A27D-983DC248779C",
"versionEndIncluding": "1.2.1"
}
],
"operator": "OR"
}
]
}
]