CVE-2024-35658
📋 TL;DR
This is an unauthenticated path traversal vulnerability in ThemeHigh's Checkout Field Editor for WooCommerce Pro plugin that allows attackers to delete arbitrary files on the server. It affects all WordPress sites running vulnerable versions of this premium WooCommerce plugin. Attackers can exploit this without any authentication.
💻 Affected Systems
- ThemeHigh Checkout Field Editor for WooCommerce (Pro)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through deletion of critical system files, website defacement, or deletion of WordPress core files leading to site unavailability.
Likely Case
Website defacement, deletion of WordPress configuration files, or deletion of plugin/theme files causing functionality loss.
If Mitigated
Limited to deletion of non-critical files if proper file permissions and web server restrictions are in place.
🎯 Exploit Status
Public exploit details available on Patchstack. Attack requires no authentication and minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Checkout Field Editor for WooCommerce (Pro)'. 4. Click 'Update Now' if update available. 5. If no update appears, download version 3.6.3+ from ThemeHigh and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate woocommerce-checkout-field-editor-pro
Restrict File Deletion
linuxSet restrictive file permissions on critical directories
chmod 755 /var/www/html/wp-content
chmod 644 /var/www/html/wp-config.php
🧯 If You Can't Patch
- Disable the Checkout Field Editor for WooCommerce Pro plugin immediately
- Implement web application firewall (WAF) rules to block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Checkout Field Editor for WooCommerce (Pro) version. If version is 3.6.2 or lower, you are vulnerable.Check Version:
wp plugin get woocommerce-checkout-field-editor-pro --field=versionVerify Fix Applied:
Verify plugin version is 3.6.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences
- File deletion operations in web server logs
- 404 errors for existing files
Network Indicators:
- HTTP requests with path traversal payloads to WooCommerce endpoints
SIEM Query:
source="web_access.log" AND (uri="*../*" OR uri="*..%2f*") AND (uri="*wc-checkout-field-editor*" OR uri="*woocommerce*")🔗 References
- https://patchstack.com/database/vulnerability/woocommerce-checkout-field-editor-pro/wordpress-checkout-field-editor-for-woocommerce-pro-plugin-3-6-2-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/woocommerce-checkout-field-editor-pro/wordpress-checkout-field-editor-for-woocommerce-pro-plugin-3-6-2-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve
