Skip to main content

Ar For Woocommerce

1 CVEs product

Monthly

CVE-2026-14352 HIGH This Week

Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. No public exploit identified at time of analysis, but the flaw is trivially reachable and was reported by Wordfence.

WordPress Path Traversal Ar For Woocommerce
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. No public exploit identified at time of analysis, but the flaw is trivially reachable and was reported by Wordfence.

WordPress Path Traversal Ar For Woocommerce
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy