CVE-2024-2381
AliExpress Dropshipping with AliNext Lite <= 3.3.5 - Authenticated (Subscriber+) Arbitrary File Upload
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
| CWE | CWE-434 |
| Vendor | ali2woo |
| Product | aliexpress dropshipping plugin for woocommerce & wordpress |
| Published | Jun 19, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for ali2woo aliexpress dropshipping plugin for woocommerce & wordpress
Be the first to know when new high vulnerabilities affecting ali2woo aliexpress dropshipping plugin for woocommerce & wordpress are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
ali2woo / AliExpress Dropshipping Plugin for WooCommerce & WordPress
0 โค 3.3.5
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/c3248327-6e10-420e-83cf-a23296eb2e6f?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk//includes/classes/controller/WooCommerceProductEditController.php#L108 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3107543/ali2woo-lite/trunk/includes/classes/controller/WooCommerceProductEditController.php
Credits
Lucio Sรก