CVE Alert: CVE-2024-13342 – pluggabl – Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools
CVE-2024-13342
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘add_files_to_order’ function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double extensions on the affected site’s server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
AI Summary Analysis
Risk verdict
High risk if unpatched; no active exploitation signals are evident, but remote, unauthenticated file upload could enable full server compromise under certain configurations.
Why this matters
Unauthenticated attackers can upload arbitrary files via the vulnerable upload path, with potential remote code execution if the server executes the uploaded payload. For ecommerce sites, this threatens data integrity, customer data, and uptime, with possible defacement or persistence across the site.
Most likely attack path
An attacker targets exposed instances of the vulnerable plugin over the internet (AV: remote). The exploit relies on high complexity and server configuration that executes the first extension; if the payload is accepted and executed, an attacker could place a web shell or similar code, enabling further access or data exfiltration. No user interaction or privileges are required, but success is contingent on server-side file execution policies and upload handling.
Who is most exposed
WordPress sites using the Booster for WooCommerce plugin, especially on shared hosting or servers with permissive upload directories and misconfigured PHP execution in uploads.
Detection ideas
- Files with double extensions uploaded to order-related endpoints (e.g., something.php.jpg) or unexpected PHP files in uploads.
- PHP payloads or web shells appearing in the uploads directory or web-accessible paths.
- Unusual spikes in anonymous file uploads or POST requests to the upload function without authentication.
- Content-type and extension mismatches; script execution attempts reflected in server logs.
- New, executable scripts executed from the uploads area or sudden 500/502 errors after uploads.
Mitigation and prioritisation
- Patch to the vendor’s fixed version or latest available release; verify upgrade on staging before production.
- If patching quickly isn’t possible, disable the vulnerable upload functionality or the plugin feature involved in order uploads.
- Enforce strict upload controls: deny double extensions, restrict to safe file types, and disable PHP execution in uploads directories.
- Relocate uploads to non-executable paths; implement WAF rules to block suspicious file patterns.
- Change-management: back up, test in staging, and roll out with monitoring; establish a rollback plan.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
