CVE-2024-13744 in Booster for WooCommerce Plugin
Summary
by MITRE • 04/04/2025
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/04/2025
The vulnerability identified as CVE-2024-13744 affects the Booster for WooCommerce plugin, a popular WordPress extension that enhances e-commerce functionality. This security flaw exists within the plugin's validate_product_input_fields_on_add_to_cart function, which is responsible for validating product input fields when items are added to the shopping cart. The vulnerability specifically manifests in versions ranging from 4.0.1 through 7.2.4, creating a persistent security risk across multiple releases. The core issue stems from inadequate file type validation mechanisms that fail to properly verify the nature of uploaded files, leaving the system exposed to malicious file uploads.
The technical exploitation of this vulnerability occurs through the absence of proper file validation checks within the plugin's file upload handling process. When users interact with the add to cart functionality, the system accepts file uploads without sufficient verification of file extensions, MIME types, or content signatures. This missing validation creates a pathway for unauthenticated attackers to bypass normal security controls and upload potentially malicious files to the WordPress server. The vulnerability operates at the application layer, specifically targeting the plugin's file handling capabilities within the broader WordPress ecosystem.
The operational impact of this vulnerability extends beyond simple file upload capabilities and presents a significant risk for remote code execution. Attackers who successfully exploit this weakness can potentially upload web shells, malicious scripts, or other executable files that could compromise the entire WordPress installation. This arbitrary file upload vulnerability aligns with CWE-434, which describes the improper restriction of uploads of executable code, and represents a critical security gap that could lead to complete system compromise. The unauthenticated nature of the attack means that any visitor to the website could potentially exploit this flaw without requiring prior login credentials or elevated privileges.
Organizations running affected versions of the Booster for WooCommerce plugin face substantial risk of unauthorized access and potential data breaches. The vulnerability could enable attackers to establish persistent backdoors, steal sensitive customer information, modify product listings, or deface the website. This type of vulnerability commonly maps to ATT&CK technique T1190, which involves the exploitation of vulnerabilities in web applications to gain initial access to systems. The impact is particularly severe for e-commerce sites where customer data, payment information, and business-critical product data are stored, making the exploitation of such vulnerabilities a high-priority concern for security teams.
The recommended mitigation strategy involves immediate upgrading to the latest version of the Booster for WooCommerce plugin where this vulnerability has been addressed. Administrators should also implement additional protective measures including restricting file upload capabilities, implementing proper file type validation at multiple layers, and monitoring for suspicious file upload activities. Network-based solutions such as web application firewalls can provide additional protection by blocking malicious upload attempts. Regular security audits and vulnerability assessments should be conducted to identify similar issues within other plugins and themes, as this vulnerability demonstrates the importance of proper input validation and file handling practices in WordPress environments.