CVE-2024-13359: 
WordPress vulnerability analysis and mitigation

The Product Input Fields for WooCommerce plugin for WordPress contains a critical vulnerability (CVE-2024-13359) discovered in March 2025. The vulnerability affects all versions up to and including 1.12.0, allowing unauthenticated attackers to upload arbitrary files due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function (NVD).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 9.8 (CRITICAL) according to NVD, and 8.1 (HIGH) according to Wordfence. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

If exploited, this vulnerability could allow attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution. By default, the plugin is vulnerable to double extension file upload attacks, and the risk increases if administrators leave the accepted file extensions field blank, which could enable direct .php file uploads (NVD).

Users are advised to update to version 1.12.1 or later, which contains the patch for this vulnerability. It's worth noting that version 1.12.2 was initially mistakenly marked as patched while 1.12.1 was marked as vulnerable, but this has been corrected, and version 1.12.1 is confirmed to be fully patched (NVD).