CVE-2024-9756: 
WordPress vulnerability analysis and mitigation

The Order Attachments for WooCommerce plugin for WordPress (versions 2.0 to 2.4.1) contains a vulnerability identified as CVE-2024-9756, discovered and reported by researcher luckynoob. The vulnerability was publicly disclosed on October 11, 2024, and involves unauthorized limited arbitrary file uploads due to a missing capability check on the wcoaadd_attachment AJAX action (NVD, Wordfence).

The vulnerability is classified with a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The security flaw is categorized under CWE-862 (Missing Authorization) and stems from insufficient authorization controls in the AJAX functionality of the plugin (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to upload limited file types to the system through the WooCommerce plugin. While the impact is partially mitigated by the limitation on file types that can be uploaded, it still represents a security risk to affected WordPress installations (NVD).

Website administrators running affected versions of the Order Attachments for WooCommerce plugin should update to version 2.5.0 or later, which contains the security fix. The patch addresses the missing capability check in the AJAX functionality (Wordfence).