CVE-2024-13342Unrestricted File Upload in FOR Woocommerce

CWE-434Unrestricted File Upload3 documents3 sources
Severity
9.8CRITICALNVD
CNA8.1
EPSS
0.5%
top 36.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Booster FOR Woocommerce
Timeline
PublishedAug 29

Description

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDbooster/booster< 7.2.5

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
Booster for WooCommerce <= 7.2.4 - Unauthenticated Double Extension Arbitrary File Upload2025-08-29
GHSA
GHSA-qqhq-9wvx-3f6c: The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_orde2025-08-29
CVE-2024-13342 — Unrestricted File Upload | cvebase