Skip to main content

Woosa Marktplaats For Woocommerce

1 CVEs product

Monthly

CVE-2026-7547 MEDIUM This Month

Arbitrary file read via path traversal in the Woosa - Marktplaats for WooCommerce WordPress plugin (versions up to and including 2.0.4) permits authenticated WordPress administrators to escape the plugin's log directory and access any file readable by the web server process, including the sensitive wp-config.php file. The flaw exists in the render_logs_ui() function within class-module-logger-hook-settings.php, which decodes a base64-supplied filename from the log_file GET parameter and concatenates it with the log directory path without any boundary enforcement. No public exploit code or active exploitation has been identified at time of analysis; the attack surface is meaningfully constrained by the Administrator-level privilege requirement (PR:H), though successful exploitation could cascade into full site compromise via exposed database credentials.

Path Traversal WordPress Woosa Marktplaats For Woocommerce
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
EPSS 0% CVSS 4.9
MEDIUM This Month

Arbitrary file read via path traversal in the Woosa - Marktplaats for WooCommerce WordPress plugin (versions up to and including 2.0.4) permits authenticated WordPress administrators to escape the plugin's log directory and access any file readable by the web server process, including the sensitive wp-config.php file. The flaw exists in the render_logs_ui() function within class-module-logger-hook-settings.php, which decodes a base64-supplied filename from the log_file GET parameter and concatenates it with the log directory path without any boundary enforcement. No public exploit code or active exploitation has been identified at time of analysis; the attack surface is meaningfully constrained by the Administrator-level privilege requirement (PR:H), though successful exploitation could cascade into full site compromise via exposed database credentials.

Path Traversal WordPress Woosa Marktplaats For Woocommerce
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy