The most popular e-commerce website plugin WooCommerce installed in almost 4 million websites. RipsTech has found file deletion vulnerability form WooCommerce plugin. This issue has been fixed in 3.4.6 version.
Arbitrary file deleting bug isn’t considered critical in most cases as the only thing an attacker can cause DDOS of the website. How deleting certain plugin files in WordPress can disable security checks and then leads to a full site takeover. This fault is designed in WordPress.
Shop managers are employees of the e-commerce store that can manage order, product, and customers. Such could be obtained by XSS or using phishing methods. But in this vulnerability, the user can access admin using RCE attack. By default, Only admin can disable the plugins This vulnerability allows shop managers to delete any file on the server that is writable. By deleting the main file of WooCommerce, WordPress will be unable to load the plugin and then disables it.