Skip to main content

Bulk Order Update For Woocommerce

1 CVEs product

Monthly

CVE-2026-14500 MEDIUM This Month

Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack requires no authentication and no interaction, making it straightforward to exploit against any site with the plugin active.

WordPress Oracle Path Traversal Bulk Order Update For Woocommerce
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack requires no authentication and no interaction, making it straightforward to exploit against any site with the plugin active.

WordPress Oracle Path Traversal +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy