Impact
The vulnerability is a customer-controlled path traversal in the Tax Exempt for WooCommerce plugin. An attacker can manipulate the path parameter to read or potentially write files outside the intended directory, compromising confidentiality and integrity of server data.
Affected Systems
Addify’s Tax Exempt for WooCommerce plugin versions up to 1.9.3 are affected. Hosts running this plugin via WordPress are potentially vulnerable.
Risk and Exploitability
The CVSS score of 6.5 indicates a medium to high severity scenario. With no EPSS data, the exploitation probability is uncertain, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, via crafted HTTP requests to the plugin’s endpoint.
OpenCVE Enrichment