Vulnerability Description
A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Woocommerce-Filter | Woocommerce Products Filter | < 2.2.0 |
Related Weaknesses (CWE)
References
- https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-fThird Party Advisory
- https://wordpress.org/plugins/woocommerce-products-filter/#developersRelease Notes
- https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/Vendor Advisory
- https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-fThird Party Advisory
- https://wordpress.org/plugins/woocommerce-products-filter/#developersRelease Notes
- https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/Vendor Advisory
FAQ
What is CVE-2018-8710?
CVE-2018-8710 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. T...
How severe is CVE-2018-8710?
CVE-2018-8710 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-8710?
Check the references section above for vendor advisories and patch information. Affected products include: Woocommerce-Filter Woocommerce Products Filter.