CVE-2024-13342 in Booster for WooCommerce Plugin
Summary
by MITRE • 08/29/2025
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/08/2025
The vulnerability identified as CVE-2024-13342 affects the Booster for WooCommerce plugin, a popular WordPress extension that enhances e-commerce functionality. This security flaw exists within the plugin's 'add_files_to_order' function and impacts all versions through 7.2.4, creating a critical entry point for malicious actors seeking to compromise affected WordPress installations. The vulnerability stems from inadequate input validation mechanisms that fail to properly verify file types during the upload process, allowing attackers to bypass security restrictions through sophisticated file naming techniques.
The technical exploitation of this vulnerability relies on the manipulation of file extensions to create files with double extensions such as .php.jpg or .jpg.php, which can be processed by web servers in ways that execute the PHP portion of the filename. This particular weakness represents a classic file upload vulnerability that aligns with CWE-434, which specifically addresses insecure file upload handling where applications accept files without proper validation of their content or extension. The vulnerability is particularly dangerous because it enables unauthenticated attackers to upload malicious files to the server, potentially leading to complete system compromise.
The operational impact of this vulnerability extends beyond simple file uploads, as it creates opportunities for remote code execution when the server configuration allows execution of files with certain extensions. This makes the vulnerability particularly attractive to attackers who can leverage it to establish persistent access, deploy malware, or conduct further reconnaissance activities within the compromised environment. The attack vector is relatively straightforward, requiring only the ability to submit data to the plugin's file upload functionality, which is often exposed through user-facing interfaces or API endpoints that do not require authentication.
Organizations running affected versions of the Booster for WooCommerce plugin face significant risk of exploitation, especially in environments where web server configurations may execute PHP files with double extensions. The vulnerability's exploitation is limited by the server configuration but can be effectively mitigated through proper file extension validation and content type checking. Recommended mitigations include immediate plugin updates to versions that address this vulnerability, implementing proper file validation mechanisms that check both file extensions and content signatures, and ensuring server configurations properly handle file execution permissions to prevent the execution of uploaded files with potentially dangerous extensions. This vulnerability also highlights the importance of following ATT&CK framework principles for defensive measures, particularly in the area of privilege escalation and execution through web shells, as the initial upload can serve as a foothold for more extensive attacks.