CVE-2024-9170 in Booster for WooCommerce Plugin
Summary
by MITRE • 11/26/2024
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wcj_product_meta shortcode in all versions up to, and including, 7.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with ShopManager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/23/2025
The Booster for WooCommerce plugin represents a popular extension that enhances e-commerce functionality within WordPress environments, yet its vulnerability landscape presents significant security concerns for online retailers relying on this platform. This particular flaw manifests as a stored cross-site scripting vulnerability affecting all versions through 7.2.3, where the wcj_product_meta shortcode becomes a vector for malicious code injection. The vulnerability stems from inadequate input sanitization processes and insufficient output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the plugin's shortcode implementation.
The technical exploitation of this vulnerability requires authenticated access with ShopManager privileges or higher, which represents a critical privilege escalation concern given that such roles typically have administrative capabilities within WooCommerce stores. Attackers can leverage this weakness by injecting malicious scripts through the affected shortcode parameters, which then get stored within the WordPress database and executed whenever legitimate users view pages containing the compromised content. This stored nature of the vulnerability means that the malicious payload persists even after the initial injection attempt, creating a long-term threat vector that can affect multiple users over time.
From an operational standpoint, this vulnerability creates substantial risk for e-commerce businesses as it allows attackers to execute arbitrary web scripts in the context of authenticated user sessions. The impact extends beyond simple script execution to potentially enable session hijacking, data exfiltration, and further lateral movement within the compromised WordPress environment. Attackers could leverage this vector to steal sensitive customer information, manipulate product listings, or redirect users to malicious sites while maintaining persistent access through the stored scripts. The vulnerability's presence in the wcj_product_meta shortcode suggests that any product-related metadata manipulation could serve as a potential attack surface for unauthorized code injection.
Security practitioners should note that this vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a classic example of insufficient input validation combined with inadequate output sanitization. The ATT&CK framework categorizes this as a technique involving code injection within web applications, potentially leading to privilege escalation and persistent threat capabilities. Organizations should immediately implement mitigations including plugin version updates to the latest secure release, implementation of strict input validation for all user-supplied parameters, and enhanced output escaping mechanisms. Additionally, network monitoring should be enhanced to detect anomalous script execution patterns, while privileged access controls should be reinforced through proper role-based permissions and regular security audits to prevent unauthorized users from gaining ShopManager-level access to the affected systems.