CVE-2024-7257 | YayExtra – WooCommerce Extra Product Options <= 1.3.7 - Unauthenticated Arbitrary File Upload via handle_upload_file Function
The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Conclusion & alert: CVE-2024-7257 is rated Moderate Risk (54.6/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.00%).Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Exploit prediction scoring system (EPSS) score for CVE-2024-7257
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).