Description
Customer Path Traversal in Tax Exempt for WooCommerce <= 1.9.3 versions.
Published: 2026-07-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a customer-controlled path traversal in the Tax Exempt for WooCommerce plugin. An attacker can manipulate the path parameter to read or potentially write files outside the intended directory, compromising confidentiality and integrity of server data.

Affected Systems

Addify’s Tax Exempt for WooCommerce plugin versions up to 1.9.3 are affected. Hosts running this plugin via WordPress are potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium to high severity scenario. With no EPSS data, the exploitation probability is uncertain, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, via crafted HTTP requests to the plugin’s endpoint.

Generated by OpenCVE AI on July 2, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 1.9.4 or newer, which removes the path traversal flaw.
  • Verify that the patched version no longer accepts arbitrary path inputs in the plugin’s requests.
  • If upgrading is not immediately possible, disable the Tax Exempt for WooCommerce plugin until a fix is applied.

Generated by OpenCVE AI on July 2, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Customer Path Traversal in Tax Exempt for WooCommerce <= 1.9.3 versions.
Title WordPress Tax Exempt for WooCommerce plugin <= 1.9.3 - Path Traversal vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T14:07:11.768Z

Reserved: 2026-06-01T15:29:19.865Z

Link: CVE-2026-49779

cve-icon Vulnrichment

Updated: 2026-07-02T14:07:07.366Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-35

    Path Traversal: '.../...//'