CVE-2024-35634 – This path traversal vulnerability in the Woocom... (How to Fix)

Q: What is the severity of CVE-2024-35634?

CVE-2024-35634 has a CVSS score of 4.9 (MEDIUM). This path traversal vulnerability in the Woocommerce - Recent Purchases plugin allows attackers to include local PHP files on the server through improper path validation. It affects WordPress sites using this plugin, potentially leading to sensitive information disclosure or code execution. All versions up to 1.0.1 are vulnerable.

📋 TL;DR

This path traversal vulnerability in the Woocommerce - Recent Purchases plugin allows attackers to include local PHP files on the server through improper path validation. It affects WordPress sites using this plugin, potentially leading to sensitive information disclosure or code execution. All versions up to 1.0.1 are vulnerable.

💻 Affected Systems

Products:

Wow-Company Woocommerce - Recent Purchases WordPress plugin

Versions: n/a through 1.0.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce and the vulnerable plugin installed.

📦 What is this software?

Woocommerce Recent Purchases by Wow Company

View all CVEs affecting Woocommerce Recent Purchases →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, or website defacement.

🟠

Likely Case

Local file inclusion allowing reading of sensitive files like configuration files containing database credentials.

🟢

If Mitigated

Limited impact if file permissions are properly restricted and web server runs with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/woo-recent-purchases/woocommerce-recent-purchases-plugin-1-0-1-file-inclusion-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Woocommerce - Recent Purchases'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.0.2+ from WordPress repository.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the plugin until patched.

wp plugin deactivate woo-recent-purchases

Web application firewall rule

all

Block requests containing path traversal patterns.

Add WAF rule: Deny requests with '../' sequences in URL parameters

🧯 If You Can't Patch

Remove the plugin entirely if not essential
Implement strict file permissions and disable PHP execution in upload directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Woocommerce - Recent Purchases version. If version is 1.0.1 or earlier, you are vulnerable.

Check Version:

wp plugin get woo-recent-purchases --field=version

Verify Fix Applied:

Confirm plugin version is 1.0.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with '../' sequences in parameters
Access to unexpected PHP files via web requests
Errors from failed file inclusion attempts

Network Indicators:

Unusual requests to plugin endpoints with path traversal patterns

SIEM Query:

web_access_logs WHERE url CONTAINS '../' AND url CONTAINS 'woo-recent-purchases'

📊 Metadata

CVE ID: CVE-2024-35634

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: June 4, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35634, you might also want to check these: