CVE-2020-36696
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass authorization checks and download files from WooCommerce sites using the Product Input Fields for WooCommerce plugin. WordPress sites with this plugin installed are affected. The vulnerability exists due to a missing capability check in the handle_downloads() function.
💻 Affected Systems
- Product Input Fields for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could download sensitive files including configuration files, customer data, or proprietary business information, leading to data breaches and compliance violations.
Likely Case
Attackers download product-related files, potentially exposing business information or customer data uploaded through product input fields.
If Mitigated
With proper file permissions and web server restrictions, impact is limited to publicly accessible files only.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable endpoint. Multiple security vendors have published technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.7 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Product Input Fields for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.7+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate product-input-fields-for-woocommerce
Web server file restriction
allAdd web server rules to block access to the vulnerable endpoint
# Apache: <LocationMatch "\/wp-content\/plugins\/product-input-fields-for-woocommerce.*">
Order Deny,Allow
Deny from all
</LocationMatch>
# Nginx: location ~* /wp-content/plugins/product-input-fields-for-woocommerce.* { deny all; }
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to the vulnerable endpoint
- Restrict file permissions and implement strict access controls on sensitive directories
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.2.6 or lower, you are vulnerable.Check Version:
wp plugin get product-input-fields-for-woocommerce --field=versionVerify Fix Applied:
Verify plugin version is 1.2.7 or higher. Test the download functionality with unauthenticated requests to confirm proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Unusual file download requests from unauthenticated users
- HTTP requests to /wp-content/plugins/product-input-fields-for-woocommerce/download.php without authentication
Network Indicators:
- GET/POST requests to plugin download endpoints from unauthenticated sources
- Unusual spikes in file download traffic
SIEM Query:
source="web_server_logs" AND (uri="/wp-content/plugins/product-input-fields-for-woocommerce/download.php" OR uri CONTAINS "product-input-fields-for-woocommerce") AND user_agent NOT CONTAINS "bot" AND status_code=200🔗 References
- https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2349889%40product-input-fields-for-woocommerce&new=2349889%40product-input-fields-for-woocommerce&sfp_email=&sfph_mail=
- https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01e41573-9329-48e1-9191-e8e1532f7afc?source=cve
- https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2349889%40product-input-fields-for-woocommerce&new=2349889%40product-input-fields-for-woocommerce&sfp_email=&sfph_mail=
- https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01e41573-9329-48e1-9191-e8e1532f7afc?source=cve
