Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Remote, low-complexity, unauthenticated because all three access controls are bypassable on default installs (PR:N/AC:L); read-only arbitrary file disclosure gives C:H with no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The AR for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.40 via the 'file' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The three intended access controls all fail: valid nonces are freely minted by unauthenticated callers via the nopriv ar_get_fresh_nonce and ar_process_user_image AJAX handlers; the AES-256-CBC encryption key is derived from get_option('ar_licence_key'), which returns false on default free installations and yields a predictable key attackers can use to encrypt their own path payloads; and the Referer check is trivially bypassed because the Referer header is attacker-controlled.
Articles & Coverage 1
AnalysisAI
Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation targets installations running AR for WooCommerce version 8.40 or earlier with the plugin active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5 High) aligns well with the description: network-reachable, low complexity, no privileges, no user interaction, with high confidentiality impact and no integrity or availability effect - consistent with a read-only file-disclosure bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker first calls the nopriv ar_get_fresh_nonce AJAX action to mint a valid nonce, derives the predictable AES-256-CBC key (since ar_licence_key is unset on free installs), encrypts a '../../../../wp-config.php' path payload, and submits it to the secure-download handler with a forged Referer header. The server decrypts the payload, resolves the traversal path outside the intended directory, and returns the file contents, disclosing database credentials and WordPress secret keys. … |
| Remediation | Vendor-released patch: 8.41 - update the AR for WooCommerce plugin to version 8.41 or later, which is the primary and confirmed remediation (see the fixing changeset at https://plugins.trac.wordpress.org/changeset/3593279/ar-for-woocommerce/trunk/includes/ar-secure-download.php and the 8.40-to-8.41 diff). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress instances running AR for WooCommerce ≤8.40; audit wp-config.php and server logs for unauthorized access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41485
GHSA-r26p-86pc-qqj4