CVE-2026-14500
Received Received - Intake

Arbitrary File Read in Bulk Order Update for WooCommerce Plugin

Vulnerability report for CVE-2026-14500, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Wordfence

Description

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouw_fetch_csv_data() AJAX handler being registered on the wp_ajax_nopriv_ hook with no capability or nonce check, and passing the attacker-supplied csv_url POST parameter β€” filtered only by esc_url_raw() (which leaves absolute filesystem paths intact) and validate_file() (which only rejects '..' traversal patterns) β€” directly into fopen()/fgetcsv() and reflecting the first parsed line in the JSON response. This makes it possible for unauthenticated attackers to read the first line of arbitrary files on the server (such as /etc/passwd) and to use the handler as a file-existence oracle.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
woocommerce bulk_order_update to 1.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Bulk Order Update plugin for WooCommerce on WordPress has a vulnerability called Arbitrary File Read in versions up to 1.6. This happens because an AJAX handler named bouw_fetch_csv_data() is registered without any security checks like capability or nonce verification. It accepts a csv_url parameter from an attacker, which is only lightly filtered, allowing absolute filesystem paths to remain. This parameter is then used directly in file reading functions, enabling attackers to read the first line of any file on the server, such as /etc/passwd.

Impact Analysis

This vulnerability allows unauthenticated attackers to read the first line of arbitrary files on the server. This can expose sensitive information stored in server files, potentially aiding further attacks or information gathering. Additionally, the handler can be used as a file-existence oracle, which means attackers can determine if certain files exist on the server.

Detection Guidance

This vulnerability can be detected by attempting to access the AJAX handler 'bouw_fetch_csv_data' without authentication and supplying a crafted 'csv_url' POST parameter to read arbitrary files on the server.

A possible detection method is to send a POST request to the endpoint handling the 'wp_ajax_nopriv_bouw_fetch_csv_data' action with a 'csv_url' parameter pointing to a sensitive file such as '/etc/passwd'. If the first line of the file is returned in the JSON response, the vulnerability is present.

Example command using curl to test for the vulnerability:

  • curl -X POST -d "action=bouw_fetch_csv_data&csv_url=file:///etc/passwd" https://your-wordpress-site.com/wp-admin/admin-ajax.php

If the response contains the first line of /etc/passwd or any other file, the vulnerability exists.

Mitigation Strategies

Immediate mitigation steps include:

  • Update the Bulk Order Update for WooCommerce plugin to a version later than 1.6 where this vulnerability is fixed.
  • If an update is not immediately possible, restrict access to the AJAX handler by implementing proper capability checks or nonce verification to prevent unauthenticated access.
  • As a temporary measure, block or restrict access to the 'wp-admin/admin-ajax.php' endpoint for unauthenticated users via web server or firewall rules.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart