Vulnerability Description
The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/inpost-for-woocommerce/trunk/src/Insp
- https://plugins.trac.wordpress.org/browser/inpost-for-woocommerce/trunk/src/Insp
- https://plugins.trac.wordpress.org/browser/woo-inpost/trunk/classes/class-helper
- https://plugins.trac.wordpress.org/browser/woo-inpost/trunk/classes/class-helper
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7b57e750-71ec-4c52-999
FAQ
What is CVE-2024-6500?
CVE-2024-6500 is a vulnerability with a CVSS score of 10.0 (CRITICAL). The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all...
How severe is CVE-2024-6500?
CVE-2024-6500 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-6500?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.