CVE-2023-6979
published 2024-01-11CVE-2023-6979: The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the…
PriorityP258high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.15%
62.8th percentile
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ivole_import_upload_csv AJAX action in all versions up to, and including, 5.38.9. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cusrev | customer_reviews_for_woocommerce | <= 5.38.9 | — |
| ivole | customer_reviews_for_woocommerce | <= 5.38.9 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Customer Reviews for WooCommerce Plugin up to 5.38.9 on WordPress unrestricted upload
vuldb·2026-04-11·CVSS 8.8
CVE-2023-6979 [HIGH] Customer Reviews for WooCommerce Plugin up to 5.38.9 on WordPress unrestricted upload
A vulnerability marked as critical has been reported in Customer Reviews for WooCommerce Plugin up to 5.38.9 on WordPress. The affected element is an unknown function. This manipulation causes unrestricted upload.
This vulnerability is registered as CVE-2023-6979. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-rhj4-7w3q-vf4p: The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ivole_imp
ghsa_unreviewed·2024-01-11
CVE-2023-6979 [CRITICAL] CWE-434 GHSA-rhj4-7w3q-vf4p: The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ivole_imp
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ivole_import_upload_csv AJAX action in all versions up to, and including, 5.38.9. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://drive.proton.me/urls/K4R2HDQBS0#iuTPm3NqZEdzhttps://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/includes/import-export/class-cr-reviews-importer.php#L35https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3016708%40customer-reviews-woocommerce&new=3016708%40customer-reviews-woocommerce&sfp_email=&sfph_mail=https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3018507%40customer-reviews-woocommerce&new=3018507%40customer-reviews-woocommerce&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/4af801db-44a6-4cd3-bd1a-3125490c8c48?source=cvehttps://drive.proton.me/urls/K4R2HDQBS0#iuTPm3NqZEdzhttps://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/includes/import-export/class-cr-reviews-importer.php#L35https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3016708%40customer-reviews-woocommerce&new=3016708%40customer-reviews-woocommerce&sfp_email=&sfph_mail=https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3018507%40customer-reviews-woocommerce&new=3018507%40customer-reviews-woocommerce&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/4af801db-44a6-4cd3-bd1a-3125490c8c48?source=cve
2024-01-11
Published