MEDIUM
sayantandas20
CVE published 2026-07-08
CVE-2026-14500
The Bulk Order Update for WooCommerce plugin for WordPress has a vulnerability that allows unauthenticated attackers to read arbitrary files on the server. This is due to the bouw_fetch_csv_data() AJAX handler being registered on the wp_ajax_nopriv_ hook with no capability or nonce check. The handler passes the attacker-supplied csv_url POST parameter directly into fopen()/fgetcsv() and reflects the first [truncated]