Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible unauthenticated AJAX endpoint with no complexity barrier; confidentiality is Low because only the first line per file is disclosed, and no integrity or availability impact exists.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouw_fetch_csv_data() AJAX handler being registered on the wp_ajax_nopriv_ hook with no capability or nonce check, and passing the attacker-supplied csv_url POST parameter - filtered only by esc_url_raw() (which leaves absolute filesystem paths intact) and validate_file() (which only rejects '..' traversal patterns) - directly into fopen()/fgetcsv() and reflecting the first parsed line in the JSON response. This makes it possible for unauthenticated attackers to read the first line of arbitrary files on the server (such as /etc/passwd) and to use the handler as a file-existence oracle.
AnalysisAI
Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Bulk Order Update for WooCommerce plugin must be installed and active on the WordPress site, and WooCommerce must also be active as a dependency. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) accurately reflects the network-accessible, zero-authentication attack surface but appropriately caps the Confidentiality impact at Low because only the first line of each file is disclosed per request. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends an HTTP POST request to https://target-site.com/wp-admin/admin-ajax.php with the body action=bouw_fetch_csv_data&csv_url=/etc/passwd; PHP's validate_file() passes the absolute path because it contains no '..' sequence, fopen() reads the file under the web server's user context, and fgetcsv() parses and returns the first line - typically the root account entry - in the JSON response. By iterating over known sensitive paths (wp-config.php, .env, /proc/self/environ), an attacker can progressively extract database credentials, secret keys, and environment variables without any authentication or user interaction. |
| Remediation | No vendor-released patch has been identified at time of analysis; a patched version number is not confirmed in any available reference. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42175
GHSA-74pw-3rq8-72px