CVE-2024-3962 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-3962?

CVE-2024-3962 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress servers running the vulnerable Product Addons & Fields for WooCommerce plugin. Successful exploitation can lead to remote code execution, affecting all WordPress sites using PPOM Pro plugin versions up to 32.0.18 with WooCommerce products containing file upload fields.

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress servers running the vulnerable Product Addons & Fields for WooCommerce plugin. Successful exploitation can lead to remote code execution, affecting all WordPress sites using PPOM Pro plugin versions up to 32.0.18 with WooCommerce products containing file upload fields.

💻 Affected Systems

Products:

Product Addons & Fields for WooCommerce (PPOM Pro)

Versions: All versions up to and including 32.0.18

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PPOM Pro plugin installed alongside WooCommerce with a product containing a file upload field to retrieve the correct nonce.

📦 What is this software?

Product Addons \& Fields For Woocommerce by Themeisle

View all CVEs affecting Product Addons \& Fields For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for further attacks.

🟠

Likely Case

Attackers upload web shells or malicious scripts to gain persistent access, modify content, or exfiltrate sensitive data.

🟢

If Mitigated

File uploads are blocked or properly validated, preventing malicious file execution while maintaining legitimate functionality.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability requires no authentication.

🏢 Internal Only: LOW - Internal-only WordPress instances would still be vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward once the required nonce is obtained from a WooCommerce product with file upload field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 32.0.19 or later

Vendor Advisory: https://themeisle.com/plugins/ppom-pro/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Product Addons & Fields for WooCommerce (PPOM Pro)'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 32.0.19+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable PPOM Pro Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate ppom-pro

Restrict File Uploads via .htaccess

linux

Block execution of uploaded files in WordPress uploads directory

Add to wp-content/uploads/.htaccess: <FilesMatch "\.(php|php5|php7|phtml|phar)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

🧯 If You Can't Patch

Disable the PPOM Pro plugin immediately
Remove file upload fields from all WooCommerce products

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for PPOM Pro version 32.0.18 or earlier

Check Version:

wp plugin get ppom-pro --field=version

Verify Fix Applied:

Verify PPOM Pro plugin version is 32.0.19 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to wp-content/uploads/ppom directory
POST requests to /wp-admin/admin-ajax.php with action=ppom_upload_file
Files with double extensions like .php.jpg

Network Indicators:

HTTP POST requests containing malicious file uploads to WordPress endpoints
Unusual outbound connections from WordPress server after file uploads

SIEM Query:

source="wordpress.log" AND ("ppom_upload_file" OR "admin-ajax.php") AND ("php" OR "phtml" OR "phar")

📊 Metadata

CVE ID: CVE-2024-3962

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: April 26, 2024

Last Updated: February 7, 2025

🔗 References

https://plugins.trac.wordpress.org/changeset/3075669/woocommerce-product-addon Patch
https://themeisle.com/plugins/ppom-pro/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/4f95bcc3-354e-4016-9a17-945569b076b6?source=cve Third Party Advisory
https://plugins.trac.wordpress.org/changeset/3075669/woocommerce-product-addon Patch
https://themeisle.com/plugins/ppom-pro/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/4f95bcc3-354e-4016-9a17-945569b076b6?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3962, you might also want to check these: