Product Icon

WooCommerce

Sell online with the flexible, customizable eCommerce platform designed to grow with your business. From your first sale to millions in revenue, Woo is with you. See why merchants trust us to power 3.4 million online stores.

Security Issue with Downloadable Files in WooCommerce

When uploading MP3 files, the embedded artwork/cover is automatically extracted during the upload process and stored in the same “woocommerce_uploads” folder as the audio file.

While it’s convenient to use this extracted image as the product’s featured image (eliminating the need to upload the image manually and avoiding duplicates), there is a potential security risk.

Even if the “unique string after the filename” option is enabled in the WooCommerce settings, the extracted artwork is saved with the same filename as the original MP3 file. This allows for the possibility of filename spoofing, where an attacker could potentially guess and download the original audio file.

As a workaround, I’ve modified the .htaccess file in the woocommerce_uploads folder to deny access to all files except images. Initially, I wasn’t able to use these extracted images as featured images because they resulted in a 403 error.

Suggestions for improvement:

1) Add another random string to the image filename or, alternatively, remove the string from the image file and apply it only to the MP3 file.
2) Automatically set the post title/media title, as currently these images are uploaded with “no title.”
Please investigate this issue further and consider these improvements for future updates.

Author

Giulio

Current Status

Open

Last updated: September 26, 2024

0 comments

Log in to comment on this feature request.

Use of your personal data
We and our partners process your personal data (such as browsing data, IP Addresses, cookie information, and other unique identifiers) based on your consent and/or our legitimate interest to optimize our website, marketing activities, and your user experience.