This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Path Traversal in WooCommerce Designer Pro. <br>π₯ **Consequences**: Arbitrary file deletion & Remote Code Execution (RCE). Critical impact on confidentiality, integrity, and availability.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **CWE**: CWE-22 (Path Traversal). <br>π **Flaw**: Insufficient file path validation in `wcdp_save_canvas_design_ajax` function. Allows attackers to manipulate file paths.
Q3Who is affected? (Versions/Components)
π¦ **Vendor**: JMA Plugins. <br>π **Affected**: WooCommerce Designer Pro v1.9.26 and earlier. <br>π **Platform**: WordPress sites using this plugin.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: No privileges required (PR:N). <br>π **Data**: Full access (C:H, I:H, A:H). <br>β οΈ **Actions**: Delete files, execute arbitrary code on the server.
π **Public Exp?**: No PoCs listed in data. <br>π **Status**: References exist (WordFence, Codecanyon). <br>β οΈ **Risk**: High CVSS score suggests likely exploitability despite no public PoC.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for WooCommerce Designer Pro. <br>π **Version**: Verify if version β€ 1.9.26. <br>π οΈ **Tool**: Use vulnerability scanners detecting CWE-22 in AJAX endpoints.