CVE-2024-13622 – The File Uploads Addon for WooCommerce WordPres... (How to Fix)

Q: What is the severity of CVE-2024-13622?

CVE-2024-13622 has a CVSS score of 7.5 (HIGH). The File Uploads Addon for WooCommerce WordPress plugin exposes sensitive customer data through insecure directory permissions. Unauthenticated attackers can access files in the /wp-content/uploads directory, potentially extracting customer-uploaded attachments. All WordPress sites using this plugin up to version 1.7.1 are affected.

📋 TL;DR

The File Uploads Addon for WooCommerce WordPress plugin exposes sensitive customer data through insecure directory permissions. Unauthenticated attackers can access files in the /wp-content/uploads directory, potentially extracting customer-uploaded attachments. All WordPress sites using this plugin up to version 1.7.1 are affected.

💻 Affected Systems

Products:

File Uploads Addon for WooCommerce WordPress plugin

Versions: All versions up to and including 1.7.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WooCommerce and WordPress. Vulnerability exists in default plugin configuration.

📦 What is this software?

File Uploads Addon For Woocommerce by Imaginate Solutions

View all CVEs affecting File Uploads Addon For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers exfiltrate sensitive customer documents (IDs, contracts, personal files) leading to data breach, regulatory fines, and reputational damage.

🟠

Likely Case

Unauthenticated access to customer-uploaded files containing personal information, violating data protection regulations.

🟢

If Mitigated

Limited exposure if directory permissions are properly configured or sensitive files aren't stored in the uploads directory.

🌐 Internet-Facing: HIGH - The vulnerability affects internet-facing WordPress sites and requires no authentication.

🏢 Internal Only: LOW - Primarily impacts public-facing web applications, though internal WordPress instances could also be affected.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires directory traversal or direct access to the insecure uploads directory. No special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.7.2 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/woo-addon-uploads/trunk/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'File Uploads Addon for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Restrict directory access via .htaccess

Apache

Add access controls to prevent unauthorized access to the uploads directory

Add to /wp-content/uploads/.htaccess: Order Deny,Allow
Deny from all
<FilesMatch "\.(jpg|jpeg|png|gif|pdf)$">
Order Allow,Deny
Allow from all
</FilesMatch>

Move sensitive files outside web root

all

Configure plugin to store uploaded files outside publicly accessible directories

🧯 If You Can't Patch

Disable the File Uploads Addon plugin immediately
Implement web application firewall rules to block access to sensitive upload directories

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins > Installed Plugins. If version is 1.7.1 or lower, you are vulnerable.

Check Version:

wp plugin list --name='File Uploads Addon for WooCommerce' --field=version (WP-CLI) or check WordPress admin panel

Verify Fix Applied:

After updating, verify version is 1.7.2 or higher. Test by attempting to access /wp-content/uploads/woo-addon-uploads/ directory without authentication.

📡 Detection & Monitoring

Log Indicators:

Multiple 200/403 requests to /wp-content/uploads/woo-addon-uploads/ paths from unauthenticated users
Unusual file download patterns from uploads directory

Network Indicators:

HTTP GET requests to uploads directory without session cookies
Burst of requests to specific file patterns in uploads

SIEM Query:

source="web_access_logs" AND (uri_path="/wp-content/uploads/woo-addon-uploads/*" OR uri_path="/wp-content/uploads/*") AND status_code=200 AND NOT user_agent="bot|crawler"

📊 Metadata

CVE ID: CVE-2024-13622

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.58% exploit probability (68.4th percentile)

Published: February 18, 2025

Last Updated: March 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13622, you might also want to check these: