CVE-2024-35658: 
WordPress vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-35658) was discovered in ThemeHigh's Checkout Field Editor for WooCommerce (Pro) plugin affecting versions up to 3.6.2. The vulnerability was reported on May 2, 2024, and publicly disclosed on June 3, 2024. This security issue allows unauthenticated attackers to perform file manipulation and functionality misuse through path traversal attacks (Patchstack).

The vulnerability is classified as a path traversal issue (CWE-22) that enables arbitrary file deletion functionality. It received a CVSS v3.1 base score of 9.1 (Critical) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction. Patchstack assigned a slightly lower CVSS score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (Patchstack).

The vulnerability allows malicious actors to delete files from affected WordPress websites without authentication. If core files are targeted, it could cause website breakage and loss of functionality (Patchstack).

Website administrators are advised to update to version 3.6.3 or later immediately to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the fixed version can be installed (Patchstack).