CVE-2023-6979 in Customer Reviews for WooCommerce Plugin
Summary
by MITRE • 01/11/2024
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ivole_import_upload_csv AJAX action in all versions up to, and including, 5.38.9. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-6979 affects the Customer Reviews for WooCommerce plugin, a widely used WordPress extension that enables users to manage and display customer reviews on e-commerce sites. This particular flaw exists within the ivole_import_upload_csv AJAX action handler, which is designed to process CSV file uploads for importing customer reviews. The vulnerability represents a critical security gap that allows authenticated attackers with author-level permissions or higher to bypass normal file validation mechanisms and upload malicious files to the target server. The affected versions range from the initial release through 5.38.9, indicating this flaw has persisted for an extended period without proper remediation.
The technical implementation of this vulnerability stems from inadequate input validation within the plugin's file upload functionality. Specifically, the ivole_import_upload_csv endpoint fails to properly verify the file type of uploaded content before processing it. This missing validation creates a path for attackers to upload files with potentially dangerous extensions such as .php, .jsp, or other server-side scripting formats. The flaw directly maps to CWE-434, which describes "Unrestricted Upload of File with Dangerous Type," a well-documented weakness that has been exploited in numerous security incidents across various web applications. When an authenticated user with author privileges or higher accesses the vulnerable endpoint, they can manipulate the file upload process to include malicious payloads that will be executed on the server with the privileges of the web application.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads, as it creates a potential pathway for remote code execution on the compromised WordPress installation. Attackers who can authenticate as authors or higher-level users can leverage this vulnerability to upload web shells, malicious scripts, or other exploit payloads that can then be executed on the target server. This capability allows for complete compromise of the affected WordPress site, potentially enabling attackers to exfiltrate sensitive data, modify content, establish persistent access, or use the compromised server as a launchpad for further attacks against the broader network infrastructure. The vulnerability is particularly concerning in environments where authors have elevated privileges or where the plugin is used in multi-user scenarios with varying permission levels.
Mitigation strategies for CVE-2023-6979 should prioritize immediate action to address the root cause through proper file type validation and content verification. Organizations should upgrade to the latest version of the Customer Reviews for WooCommerce plugin where this vulnerability has been patched, typically through version 5.39.0 or later. Security practitioners should also implement additional defensive measures including restricting file upload capabilities to only allow specific, safe file types, implementing proper MIME type checking, and establishing strict file size limits for uploads. Network-based mitigations such as web application firewalls and intrusion detection systems can help detect and block suspicious file upload attempts. From an operational security perspective, organizations should conduct thorough access reviews to ensure that only necessary users have author-level permissions, and implement proper monitoring of file upload activities within WordPress installations. This vulnerability aligns with ATT&CK technique T1505.003, which covers "Input Validation" and "File Uploads," highlighting the importance of proper validation controls in preventing such exploitation scenarios.