{"id":72925,"date":"2025-09-08T11:17:14","date_gmt":"2025-09-08T11:17:14","guid":{"rendered":""},"modified":"2025-09-27T07:38:43","modified_gmt":"2025-09-27T13:38:43","slug":"cve-2024-13342-arbitrary-file-upload-vulnerability-in-booster-for-woocommerce-plugin","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2024-13342-arbitrary-file-upload-vulnerability-in-booster-for-woocommerce-plugin\/","title":{"rendered":"<strong>CVE-2024-13342: Arbitrary File Upload Vulnerability in Booster for WooCommerce Plugin<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>CVE-2024-13342 is a serious vulnerability discovered in the Booster for WooCommerce plugin for WordPress. It affects all versions up to and including 7.2.4 and exposes websites to the risk of arbitrary file uploads by unauthenticated attackers. This <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-49555-adobe-commerce-csrf-vulnerability-leading-to-privilege-escalation\/\"  data-wpil-monitor-id=\"80557\">vulnerability is particularly significant because it can potentially lead<\/a> to remote code execution, compromising the security and integrity of the affected websites. If successfully exploited, attackers could gain <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-49707-unauthorized-access-and-spoofing-vulnerability-in-azure-virtual-machines\/\"  data-wpil-monitor-id=\"80796\">unauthorized access<\/a> to sensitive data, disrupt website operations, or even take control of the entire system.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2024-13342<br \/>\nSeverity: High (CVSS: 8.1)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-6079-arbitrary-file-upload-vulnerability-in-school-management-system-for-wordpress-plugin\/\"  data-wpil-monitor-id=\"80597\">Arbitrary file upload<\/a>, potential system compromise or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-3317690201\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Booster for <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5746-arbitrary-file-upload-vulnerability-in-woocommerce-plugin-for-wordpress\/\"  data-wpil-monitor-id=\"92063\">WooCommerce Plugin<\/a> | Up to and including 7.2.4<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The vulnerability is rooted in the &#8216;add_files_to_order&#8217; function of the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-53213-unrestricted-upload-of-file-with-dangerous-type-vulnerability-in-woocommerce-multi-carrier-conditional-shipping-plugin\/\"  data-wpil-monitor-id=\"81747\">Booster<\/a> for WooCommerce plugin. This function lacks proper file type validation, making it possible for unauthenticated attackers to upload <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5391-arbitrary-file-deletion-vulnerability-in-woocommerce-purchase-orders-plugin-for-wordpress\/\"  data-wpil-monitor-id=\"81294\">arbitrary files<\/a> with double extensions on the affected site&#8217;s server. The server might mistakenly execute the first extension present, leading to malicious <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-50177-code-execution-vulnerability-in-windows-message-queuing\/\"  data-wpil-monitor-id=\"80546\">code execution<\/a>.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-1426028672\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Here is a conceptual example of how an attacker might exploit this vulnerability:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/wp-content\/plugins\/booster-for-woocommerce\/endpoint HTTP\/1.1\nHost: target.example.com\nContent-Type: multipart\/form-data; boundary=----WebKitFormBoundaryzXJpHSYBBGZvKJN7\n------WebKitFormBoundaryzXJpHSYBBGZvKJN7\nContent-Disposition: form-data; name=&quot;file&quot;; filename=&quot;exploit.php.jpg&quot;\nContent-Type: image\/jpeg\n[...binary data...]\n------WebKitFormBoundaryzXJpHSYBBGZvKJN7--<\/code><\/pre>\n<p>In this example, &#8216;exploit.php.jpg&#8217; is a double extension file with <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-8714-critical-postgresql-vulnerability-allowing-malicious-code-injection-by-superusers\/\"  data-wpil-monitor-id=\"80788\">malicious PHP code<\/a>. Since the server checks only the first extension and executes it, the PHP code gets executed, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-53192-critical-vulnerability-in-unsupported-apache-commons-ognl-leads-to-potential-arbitrary-code-execution\/\"  data-wpil-monitor-id=\"80563\">leading to potential<\/a> system compromise.<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p>The vendor has <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-35115-critical-system-package-download-vulnerability-in-agiloft-release-28\/\"  data-wpil-monitor-id=\"85314\">released a patch to fix this vulnerability<\/a>, and users are strongly encouraged to apply this patch as soon as possible. As a temporary mitigation, users can also use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to block malicious <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-53251-unrestricted-file-upload-vulnerability-in-an-themes-pin-wp\/\"  data-wpil-monitor-id=\"81375\">file upload<\/a> attempts. However, these measures only lessen the risk and cannot completely eliminate it. Regular updates and patch <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3671-critical-local-file-inclusion-vulnerability-in-wpgym-wordpress-gym-management-system-plugin\/\"  data-wpil-monitor-id=\"80517\">management are key to maintaining a secure system<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview CVE-2024-13342 is a serious vulnerability discovered in the Booster for WooCommerce plugin for WordPress. It affects all versions up to and including 7.2.4 and exposes websites to the risk of arbitrary file uploads by unauthenticated attackers. This vulnerability is particularly significant because it can potentially lead to remote code execution, compromising the security and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[80],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-72925","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-rce"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/72925","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=72925"}],"version-history":[{"count":12,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/72925\/revisions"}],"predecessor-version":[{"id":85270,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/72925\/revisions\/85270"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=72925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=72925"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=72925"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=72925"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=72925"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=72925"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=72925"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=72925"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=72925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}