CVE-2024-39651 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-39651?

CVE-2024-39651 has a CVSS score of 8.6 (HIGH). This vulnerability allows unauthenticated attackers to delete arbitrary files on WordPress sites running the vulnerable WooCommerce PDF Vouchers plugin. Attackers can exploit path traversal flaws to target critical system files, potentially causing complete site compromise. All WordPress sites using affected versions of this plugin are at risk.

📋 TL;DR

This vulnerability allows unauthenticated attackers to delete arbitrary files on WordPress sites running the vulnerable WooCommerce PDF Vouchers plugin. Attackers can exploit path traversal flaws to target critical system files, potentially causing complete site compromise. All WordPress sites using affected versions of this plugin are at risk.

💻 Affected Systems

Products:

WordPress WooCommerce PDF Vouchers Plugin

Versions: All versions before 4.9.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce and PDF Vouchers plugin installed. No authentication required.

📦 What is this software?

Woocommerce Pdf Vouchers by Wpwebelite

View all CVEs affecting Woocommerce Pdf Vouchers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover via deletion of WordPress core files, wp-config.php, or .htaccess, leading to data loss, defacement, or ransomware deployment.

🟠

Likely Case

Site disruption through deletion of plugin files, media uploads, or configuration files causing functionality loss and potential data corruption.

🟢

If Mitigated

Limited impact if file permissions restrict write access to web user, but still potential for denial of service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests with crafted parameters can trigger the vulnerability. Public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.5

Vendor Advisory: https://patchstack.com/database/vulnerability/woocommerce-pdf-vouchers/wordpress-woocommerce-pdf-vouchers-plugin-4-9-5-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WooCommerce PDF Vouchers'. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.9.5+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate woocommerce-pdf-vouchers

Restrict File Permissions

linux

Set restrictive permissions on critical WordPress directories

chmod 755 wp-content
chmod 644 wp-config.php
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;

🧯 If You Can't Patch

Disable WooCommerce PDF Vouchers plugin immediately
Implement web application firewall (WAF) rules to block path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 4.9.5, you are vulnerable.

Check Version:

wp plugin get woocommerce-pdf-vouchers --field=version

Verify Fix Applied:

Confirm plugin version shows 4.9.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with ../ sequences in parameters
File deletion errors in WordPress debug logs
404 errors for unexpected file paths

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with file deletion parameters
Unusual file paths in URL parameters

SIEM Query:

source="wordpress.log" AND ("../" OR "..\\" OR "%2e%2e%2f") AND "action=delete_file"

📊 Metadata

CVE ID: CVE-2024-39651

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-22

Published: August 13, 2024

Last Updated: January 28, 2026

🔗 References

https://patchstack.com/database/vulnerability/woocommerce-pdf-vouchers/wordpress-woocommerce-pdf-vouchers-plugin-4-9-5-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39651, you might also want to check these: