Skip to main content

AR for WooCommerce CVE-2026-14352

| EUVDEUVD-2026-41485 HIGH
Path Traversal (CWE-22)
2026-07-03 Wordfence GHSA-r26p-86pc-qqj4
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Remote, low-complexity, unauthenticated because all three access controls are bypassable on default installs (PR:N/AC:L); read-only arbitrary file disclosure gives C:H with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 05:47 vuln.today
CVE Published
Jul 03, 2026 - 04:30 cve.org
HIGH 7.5

DescriptionCVE.org

The AR for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.40 via the 'file' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The three intended access controls all fail: valid nonces are freely minted by unauthenticated callers via the nopriv ar_get_fresh_nonce and ar_process_user_image AJAX handlers; the AES-256-CBC encryption key is derived from get_option('ar_licence_key'), which returns false on default free installations and yields a predictable key attackers can use to encrypt their own path payloads; and the Referer check is trivially bypassed because the Referer header is attacker-controlled.

AnalysisAI

Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach unauthenticated admin-ajax endpoint
Delivery
Mint nonce via ar_get_fresh_nonce
Exploit
Derive predictable AES key from unset licence_key
Install
Encrypt '../wp-config.php' path payload
C2
Submit to secure-download with forged Referer
Execute
Server resolves traversal path
Impact
Read arbitrary file contents

Vulnerability AssessmentAI

Exploitation Exploitation targets installations running AR for WooCommerce version 8.40 or earlier with the plugin active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5 High) aligns well with the description: network-reachable, low complexity, no privileges, no user interaction, with high confidentiality impact and no integrity or availability effect - consistent with a read-only file-disclosure bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker first calls the nopriv ar_get_fresh_nonce AJAX action to mint a valid nonce, derives the predictable AES-256-CBC key (since ar_licence_key is unset on free installs), encrypts a '../../../../wp-config.php' path payload, and submits it to the secure-download handler with a forged Referer header. The server decrypts the payload, resolves the traversal path outside the intended directory, and returns the file contents, disclosing database credentials and WordPress secret keys. …
Remediation Vendor-released patch: 8.41 - update the AR for WooCommerce plugin to version 8.41 or later, which is the primary and confirmed remediation (see the fixing changeset at https://plugins.trac.wordpress.org/changeset/3593279/ar-for-woocommerce/trunk/includes/ar-secure-download.php and the 8.40-to-8.41 diff). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress instances running AR for WooCommerce ≤8.40; audit wp-config.php and server logs for unauthorized access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy