CVE-2024-13342

High CVSS: 8.1

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.

Vendor

Booster

Product

Booster For Woocommerce

CWE

CWE-434

Yayın Tarihi

2025-08-29 11:15:30

Güncelleme

2025-12-08 19:02:48

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-434 Booster For Woocommerce HIGH Booster 2025

Referanslar

https://plugins.trac.wordpress.org/browser/woocommerce-jetpack/tags/7.2.4/includes/class-wcj-checkout-files-upload.php#L452 https://plugins.trac.wordpress.org/changeset/3262569/ https://www.wordfence.com/threat-intel/vulnerabilities/id/5ac8a125-121c-4392-846e-625726043972?source=cve

Benzer Kayıtlar

Medium

CVE-2025-64380

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster f…

Medium

CVE-2025-64379

Missing Authorization vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Exploiting Incorrectl…

High

CVE-2025-64196

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster f…

High

CVE-2025-39446

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl LLC Boost…

High

CVE-2024-13708

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in ve…

High

CVE-2024-13744

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type valida…