A Privilege Escalation vulnerability has been identified in the WordPress All in One B2B for WooCommerce Plugin. This vulnerability could allow a malicious actor with low privileges to escalate their privileges to something higher, such as an administrator account. This could then be used to take full control of the website.
This plugin vulnerability was discovered and responsibly reported by Alexander Concha.
The vulnerability is a Privilege Escalation vulnerability that occurs in the b2b-for-woocommerce.php file. The vulnerability allows an attacker with low privileges to execute arbitrary PHP code by exploiting a flaw in the way that the plugin handles file uploads.
The vulnerability has a CVSS 3.1 score of 9.8, which is considered to be critical. This means that the vulnerability is highly exploitable and could have a significant impact on the affected system.
The vulnerability affects all versions of the All in One B2B for WooCommerce Plugin prior to 1.0.3.
An attacker who successfully exploits this vulnerability could:
- Escalate their privileges to something higher, such as an administrator account.
- Take full control of the website.
Users of the All in One B2B for WooCommerce Plugin are strongly advised to uninstall the plugin until a patched version is available.