Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable path traversal yields arbitrary file read (C:H) with no write or denial-of-service primitive, so I:N and A:N; no user interaction required.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions.
AnalysisAI
Unauthenticated arbitrary file download in the WPC Product Options for WooCommerce WordPress plugin (versions ≤ 3.2.1) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials. The flaw is a classic path traversal (CWE-22) reachable over the network at low complexity, and while no public exploit identified at time of analysis, the disclosure by Patchstack and trivial attack profile make opportunistic scanning likely against WooCommerce storefronts running this plugin.
Technical ContextAI
WPC Product Options for WooCommerce is a WordPress plugin by WPClever (CPE: cpe:2.3:a:wpclever:wpc_product_options_for_woocommerce) that extends WooCommerce product pages with configurable options such as add-ons, variants, and file selections. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning a user-controlled input - likely a filename or path parameter passed to a download/serve handler - is concatenated into a filesystem path without canonicalization or allowlist validation, letting sequences like '../' escape the intended directory. Because the endpoint does not enforce authentication, the traversal is reachable by any anonymous HTTP client that can contact the WordPress front-end.
RemediationAI
Upgrade the WPC Product Options for WooCommerce plugin to a version newer than 3.2.1 once the vendor publishes a fixed release; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpc-product-options/vulnerability/wordpress-wpc-product-options-for-woocommerce-plugin-3-2-1-arbitrary-file-download-vulnerability should be monitored for the exact patched version, as no fixed version is independently confirmed in the available data - Upstream fix status not independently confirmed. Until a patch is applied, deactivate and remove the plugin if business needs allow (loss of product option customization on storefront), or place a WAF/virtual-patch rule (e.g., Patchstack, Wordfence) in front of the site blocking requests containing '../', URL-encoded traversal sequences ('%2e%2e%2f'), or absolute paths in plugin request parameters - accepting that overly broad rules may break legitimate file-handling requests. As a defense-in-depth step, rotate WordPress secrets in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, etc.) and database credentials if you suspect the endpoint was exposed, since arbitrary file read commonly targets this file.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36870
GHSA-p254-h56f-52gw