CVE-2024-13744Unrestricted File Upload in FOR Woocommerce

CWE-434Unrestricted File Upload3 documents3 sources
Severity
9.8CRITICALNVD
CNA8.1
EPSS
1.6%
top 18.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Booster FOR WoocommercePluggabl Booster FOR Woocommerce
Timeline
PublishedApr 4

Description

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5pluggabl/booster_for_woocommerce4.0.17.2.4
NVDbooster/booster4.0.17.2.5

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
Booster for WooCommerce 4.0.1 - 7.2.4 - Unauthenticated Arbitrary File Upload2025-04-04
GHSA
GHSA-gffv-vp66-96qc: The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_i2025-04-04
CVE-2024-13744 — Unrestricted File Upload | cvebase