WooCommerce

When uploading MP3 files, the embedded artwork/cover is automatically extracted during the upload process and stored in the same “woocommerce_uploads” folder as the audio file.

While it’s convenient to use this extracted image as the product’s featured image (eliminating the need to upload the image manually and avoiding duplicates), there is a potential security risk.

Even if the “unique string after the filename” option is enabled in the WooCommerce settings, the extracted artwork is saved with the same filename as the original MP3 file. This allows for the possibility of filename spoofing, where an attacker could potentially guess and download the original audio file.

As a workaround, I’ve modified the .htaccess file in the woocommerce_uploads folder to deny access to all files except images. Initially, I wasn’t able to use these extracted images as featured images because they resulted in a 403 error.

Suggestions for improvement:

1) Add another random string to the image filename or, alternatively, remove the string from the image file and apply it only to the MP3 file.
2) Automatically set the post title/media title, as currently these images are uploaded with “no title.”
Please investigate this issue further and consider these improvements for future updates.