CVE-2024-54262: WooCommerce Import Export RCE Vulnerability

CVE-2024-54262 Overview

CVE-2024-54262 is an unrestricted file upload vulnerability in the sidngr Import Export For WooCommerce plugin for WordPress. The flaw affects all plugin versions up to and including 1.6.2. Authenticated attackers with low privileges can upload files of dangerous types, including web shells, to the web server. Successful exploitation grants remote code execution, full site compromise, and lateral movement opportunities within the hosting environment. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).

Critical Impact

Authenticated attackers can upload web shells and execute arbitrary code on the WordPress server, leading to complete site takeover.

Affected Products

• sidngr Import Export For WooCommerce plugin versions up to and including 1.6.2
• WordPress installations running the import-export-for-woocommerce plugin
• WooCommerce sites using vulnerable versions of the import/export extension

Discovery Timeline

• 2024-12-13 - CVE-2024-54262 published to the National Vulnerability Database (NVD)
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-54262

Vulnerability Analysis

The vulnerability stems from improper validation of file types during the import functionality of the Import Export For WooCommerce plugin. The plugin accepts uploaded files intended for product import operations but fails to restrict dangerous file extensions such as .php, .phtml, or other server-executable formats. An authenticated user with minimal privileges can submit a crafted upload request containing PHP code. The plugin writes the file to a web-accessible directory without enforcing MIME type or extension allowlists.

The EPSS score of approximately 54.8% places this vulnerability in the 98th percentile for exploitation likelihood, indicating high attacker interest in WordPress plugin file upload flaws.

Root Cause

The root cause is missing or insufficient validation logic in the file upload handler. The plugin trusts the supplied filename and content type without server-side verification. No allowlist of safe extensions exists, and no content inspection prevents executable payloads from being saved within the WordPress uploads directory or another reachable path.

Attack Vector

An attacker authenticated to the WordPress instance sends a multipart upload request to the plugin's import endpoint. The request includes a PHP file disguised as a CSV or XML import payload. After the server stores the file, the attacker requests the file's URL directly, triggering PHP execution under the web server's user context. From there, the attacker can install persistent backdoors, exfiltrate database credentials from wp-config.php, or pivot to other tenants on shared hosting.

No verified public exploit code is available at this time. Refer to the Patchstack Vulnerability Report for additional technical context.

Detection Methods for CVE-2024-54262

Indicators of Compromise

• New PHP files appearing in wp-content/uploads/ or plugin-specific import directories with recent timestamps
• HTTP POST requests targeting the Import Export For WooCommerce import endpoint with non-standard file extensions in the multipart payload
• Outbound network connections from the WordPress server to unfamiliar IP addresses shortly after import activity
• Unexpected WordPress administrator or shop manager accounts created after suspicious upload events

Detection Strategies

• Monitor WordPress access logs for POST requests to plugin import handlers followed by GET requests to newly created files in upload directories
• Deploy file integrity monitoring on wp-content/uploads/ to alert on creation of .php, .phtml, .phar, or .htaccess files
• Inspect web server logs for HTTP 200 responses serving PHP files from upload paths that should contain only media assets

Monitoring Recommendations

• Enable WordPress audit logging for plugin import and file upload events tied to authenticated sessions
• Forward web server and application logs to a centralized SIEM for correlation across authentication and upload activity
• Alert on web shell signatures such as eval(base64_decode(, system($_GET, or passthru($_REQUEST appearing in newly written files

How to Mitigate CVE-2024-54262

Immediate Actions Required

• Update the Import Export For WooCommerce plugin to a version newer than 1.6.2 as soon as the vendor releases a fixed build
• Audit wp-content/uploads/ and plugin directories for unauthorized PHP files and remove any web shells discovered
• Rotate all WordPress administrator credentials, database passwords, and API keys stored in wp-config.php if compromise is suspected
• Review user accounts and revoke privileges for any unrecognized or recently created shop manager or administrator users

Patch Information

At the time of publication, the vendor advisory listed via Patchstack confirms the issue affects versions through 1.6.2. Site administrators should monitor the WordPress plugin repository for the patched release and apply it immediately.

Workarounds

• Disable the Import Export For WooCommerce plugin until a patched version is installed
• Restrict access to the WordPress admin area using IP allowlists or web application firewall rules
• Configure the web server to deny PHP execution within wp-content/uploads/ using directory-level rules
• Remove or downgrade privileges for non-essential accounts that have access to plugin import functionality

# Apache configuration to block PHP execution in WordPress uploads directory
<Directory "/var/www/html/wp-content/uploads">
    <FilesMatch "\.(php|phtml|phar|php3|php4|php5|php7|phps)$">
        Require all denied
    </FilesMatch>
</Directory>

# Nginx equivalent
location ~* /wp-content/uploads/.*\.(php|phtml|phar)$ {
    deny all;
    return 403;
}