A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the shortcode parameters would be evaluated. Normally unauthenticated users cant evaluate shortcodes as they are often sensitive.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Woocommerce_products_filter | Woocommerce-filter | * | 2.2.0 (excluding) |