Skip to main content

Bulk Order Update WooCommerce EUVDEUVD-2026-42175

| CVE-2026-14500 MEDIUM
Path Traversal (CWE-22)
2026-07-08 Wordfence GHSA-74pw-3rq8-72px
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible unauthenticated AJAX endpoint with no complexity barrier; confidentiality is Low because only the first line per file is disclosed, and no integrity or availability impact exists.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 06:31 vuln.today
CVE Published
Jul 08, 2026 - 05:34 nvd
MEDIUM 5.3

DescriptionCVE.org

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouw_fetch_csv_data() AJAX handler being registered on the wp_ajax_nopriv_ hook with no capability or nonce check, and passing the attacker-supplied csv_url POST parameter - filtered only by esc_url_raw() (which leaves absolute filesystem paths intact) and validate_file() (which only rejects '..' traversal patterns) - directly into fopen()/fgetcsv() and reflecting the first parsed line in the JSON response. This makes it possible for unauthenticated attackers to read the first line of arbitrary files on the server (such as /etc/passwd) and to use the handler as a file-existence oracle.

AnalysisAI

Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with plugin active
Delivery
POST csv_url=/etc/passwd to unauthenticated AJAX endpoint
Exploit
validate_file() passes absolute path
Execution
fopen()/fgetcsv() reads target file
Persist
First line returned in JSON response
Impact
Iterate over sensitive paths to extract credentials

Vulnerability AssessmentAI

Exploitation The Bulk Order Update for WooCommerce plugin must be installed and active on the WordPress site, and WooCommerce must also be active as a dependency. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) accurately reflects the network-accessible, zero-authentication attack surface but appropriately caps the Confidentiality impact at Low because only the first line of each file is disclosed per request. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends an HTTP POST request to https://target-site.com/wp-admin/admin-ajax.php with the body action=bouw_fetch_csv_data&csv_url=/etc/passwd; PHP's validate_file() passes the absolute path because it contains no '..' sequence, fopen() reads the file under the web server's user context, and fgetcsv() parses and returns the first line - typically the root account entry - in the JSON response. By iterating over known sensitive paths (wp-config.php, .env, /proc/self/environ), an attacker can progressively extract database credentials, secret keys, and environment variables without any authentication or user interaction.
Remediation No vendor-released patch has been identified at time of analysis; a patched version number is not confirmed in any available reference. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy