Description
Subscriber Arbitrary File Download in Woocommerce Book Price <= 1.3 versions.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the WordPress WooCommerce Book Price plugin versions 1.3 and earlier allows an attacker to download arbitrary files from the server through a public endpoint. The flaw follows the path traversal weakness identified as CWE‑22. If exploited, sensitive server files could be disclosed, compromising the confidentiality of site data and potentially exposing configuration or credential files stored alongside the plugin.

Affected Systems

The WooCommerce Book Price plugin developed by WPos, in versions 1.3 and earlier, deployed on WordPress sites.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. No EPSS score is publicly available, so no specific exploitation probability can be cited. The vulnerability is not listed in the CISA KEV catalog. The attack appears to require only a crafted request to the plugin’s download endpoint and does not mention authentication, suggesting it is readily exploitable from the web interface. As a result, sites running an unpatched plugin face a significant risk of confidential file disclosure.

Generated by OpenCVE AI on June 18, 2026 at 14:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce Book Price plugin to version 1.4 or later.
  • If upgrading is not immediately possible, temporarily block or delete the plugin’s public file download endpoint using a security plugin or web server rule.
  • Tighten filesystem permissions so that the web server process cannot read sensitive files outside the intended download directory.

Generated by OpenCVE AI on June 18, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpos
Wpos woocommerce Book Price
Vendors & Products Wordpress
Wordpress wordpress
Wpos
Wpos woocommerce Book Price

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Download in Woocommerce Book Price <= 1.3 versions.
Title WordPress Woocommerce Book Price plugin <= 1.3 - Arbitrary File Download vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Wordpress Wordpress
Wpos Woocommerce Book Price
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:34:16.636Z

Reserved: 2026-01-07T12:21:11.735Z

Link: CVE-2026-22334

cve-icon Vulnrichment

Updated: 2026-06-17T12:34:13.290Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:37Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')