CVE-2024-13744 Overview
CVE-2024-13744 is a critical arbitrary file upload vulnerability affecting the Booster for WooCommerce plugin for WordPress. The vulnerability exists due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This security flaw enables unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution.
Critical Impact
Unauthenticated attackers can upload malicious files including PHP web shells, enabling complete server compromise and remote code execution without any authentication requirements.
Affected Products
- Booster for WooCommerce versions 4.0.1 through 7.2.4
- WordPress sites running vulnerable Booster for WooCommerce installations
- WooCommerce deployments utilizing the Booster plugin product input fields feature
Discovery Timeline
- 2025-04-04 - CVE-2024-13744 published to NVD
- 2025-04-09 - Last updated in NVD database
Technical Details for CVE-2024-13744
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw resides within the product input fields functionality of the Booster for WooCommerce plugin. When processing file uploads through the add-to-cart functionality, the validate_product_input_fields_on_add_to_cart function fails to properly validate the type of files being uploaded.
The absence of file type validation means attackers can bypass intended restrictions and upload files with dangerous extensions such as .php, .phtml, or other executable server-side scripts. Once uploaded, these malicious files can be accessed directly through the web server, allowing attackers to execute arbitrary code in the context of the web server process.
Root Cause
The root cause of this vulnerability is the missing file type validation logic within the validate_product_input_fields_on_add_to_cart function located in class-wcj-product-input-fields-core.php. The function accepts file uploads as part of the WooCommerce product input fields feature but does not verify that uploaded files match an allowlist of safe file types or extensions. This oversight allows any file type to be uploaded to the server, including executable scripts.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by:
- Identifying a WordPress site running a vulnerable version of Booster for WooCommerce (4.0.1 - 7.2.4)
- Locating a product page that utilizes the product input fields feature with file upload capability
- Crafting a malicious file (such as a PHP web shell) and submitting it through the add-to-cart form
- Accessing the uploaded malicious file directly via its URL on the server
- Executing arbitrary commands through the uploaded web shell
The vulnerability requires no user interaction and can be exploited directly over the network against any exposed WordPress installation running the vulnerable plugin versions.
Detection Methods for CVE-2024-13744
Indicators of Compromise
- Unexpected PHP files or other executable scripts appearing in WordPress upload directories
- Suspicious files in /wp-content/uploads/ with recent timestamps and unusual naming patterns
- Web server access logs showing requests to newly created PHP files in upload directories
- Outbound network connections originating from the web server to unknown destinations
Detection Strategies
- Monitor file system changes in WordPress upload directories for new executable files (.php, .phtml, .php5, etc.)
- Implement web application firewall (WAF) rules to detect and block file upload attempts with executable extensions
- Review web server access logs for patterns indicating file upload exploitation attempts
- Deploy file integrity monitoring to alert on unauthorized file creations in web-accessible directories
Monitoring Recommendations
- Enable real-time file system monitoring for the WordPress uploads directory structure
- Configure alerting for any POST requests to product pages containing file upload payloads with suspicious MIME types
- Monitor WordPress error logs for unusual file handling errors that may indicate exploitation attempts
- Implement regular security scans to detect web shells and unauthorized files in the WordPress installation
How to Mitigate CVE-2024-13744
Immediate Actions Required
- Update Booster for WooCommerce plugin to version 7.2.5 or later immediately
- Audit the WordPress uploads directory for any suspicious or unexpected PHP files
- Temporarily disable the product input fields file upload functionality if immediate patching is not possible
- Review web server logs for evidence of past exploitation attempts
Patch Information
The vulnerability has been addressed by the plugin maintainers. The patch details can be found in the WordPress Changeset Update. Additional technical analysis is available in the Wordfence Vulnerability Report.
Users should update to version 7.2.5 or later which includes proper file type validation in the validate_product_input_fields_on_add_to_cart function.
Workarounds
- Disable the product input fields module in Booster for WooCommerce settings until the plugin can be updated
- Configure the web server to prevent execution of PHP files within the WordPress uploads directory using .htaccess or server configuration
- Implement a web application firewall (WAF) rule to block file uploads with executable extensions to WooCommerce endpoints
- Restrict file upload functionality at the server level by limiting allowed MIME types and extensions
# Apache .htaccess configuration to prevent PHP execution in uploads
# Add to wp-content/uploads/.htaccess
<FilesMatch "\.(?:php|phtml|php[3-7]?)$">
Require all denied
</FilesMatch>
# Nginx configuration alternative
# Add to server block
location ~* /wp-content/uploads/.*\.php$ {
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
