Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-13744

CVE-2024-13744: Booster For WooCommerce RCE Vulnerability

CVE-2024-13744 is a remote code execution flaw in Booster for WooCommerce that allows unauthenticated attackers to upload malicious files. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2024-13744 Overview

CVE-2024-13744 is a critical arbitrary file upload vulnerability affecting the Booster for WooCommerce plugin for WordPress. The vulnerability exists due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This security flaw enables unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution.

Critical Impact

Unauthenticated attackers can upload malicious files including PHP web shells, enabling complete server compromise and remote code execution without any authentication requirements.

Affected Products

  • Booster for WooCommerce versions 4.0.1 through 7.2.4
  • WordPress sites running vulnerable Booster for WooCommerce installations
  • WooCommerce deployments utilizing the Booster plugin product input fields feature

Discovery Timeline

  • 2025-04-04 - CVE-2024-13744 published to NVD
  • 2025-04-09 - Last updated in NVD database

Technical Details for CVE-2024-13744

Vulnerability Analysis

This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw resides within the product input fields functionality of the Booster for WooCommerce plugin. When processing file uploads through the add-to-cart functionality, the validate_product_input_fields_on_add_to_cart function fails to properly validate the type of files being uploaded.

The absence of file type validation means attackers can bypass intended restrictions and upload files with dangerous extensions such as .php, .phtml, or other executable server-side scripts. Once uploaded, these malicious files can be accessed directly through the web server, allowing attackers to execute arbitrary code in the context of the web server process.

Root Cause

The root cause of this vulnerability is the missing file type validation logic within the validate_product_input_fields_on_add_to_cart function located in class-wcj-product-input-fields-core.php. The function accepts file uploads as part of the WooCommerce product input fields feature but does not verify that uploaded files match an allowlist of safe file types or extensions. This oversight allows any file type to be uploaded to the server, including executable scripts.

Attack Vector

The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by:

  1. Identifying a WordPress site running a vulnerable version of Booster for WooCommerce (4.0.1 - 7.2.4)
  2. Locating a product page that utilizes the product input fields feature with file upload capability
  3. Crafting a malicious file (such as a PHP web shell) and submitting it through the add-to-cart form
  4. Accessing the uploaded malicious file directly via its URL on the server
  5. Executing arbitrary commands through the uploaded web shell

The vulnerability requires no user interaction and can be exploited directly over the network against any exposed WordPress installation running the vulnerable plugin versions.

Detection Methods for CVE-2024-13744

Indicators of Compromise

  • Unexpected PHP files or other executable scripts appearing in WordPress upload directories
  • Suspicious files in /wp-content/uploads/ with recent timestamps and unusual naming patterns
  • Web server access logs showing requests to newly created PHP files in upload directories
  • Outbound network connections originating from the web server to unknown destinations

Detection Strategies

  • Monitor file system changes in WordPress upload directories for new executable files (.php, .phtml, .php5, etc.)
  • Implement web application firewall (WAF) rules to detect and block file upload attempts with executable extensions
  • Review web server access logs for patterns indicating file upload exploitation attempts
  • Deploy file integrity monitoring to alert on unauthorized file creations in web-accessible directories

Monitoring Recommendations

  • Enable real-time file system monitoring for the WordPress uploads directory structure
  • Configure alerting for any POST requests to product pages containing file upload payloads with suspicious MIME types
  • Monitor WordPress error logs for unusual file handling errors that may indicate exploitation attempts
  • Implement regular security scans to detect web shells and unauthorized files in the WordPress installation

How to Mitigate CVE-2024-13744

Immediate Actions Required

  • Update Booster for WooCommerce plugin to version 7.2.5 or later immediately
  • Audit the WordPress uploads directory for any suspicious or unexpected PHP files
  • Temporarily disable the product input fields file upload functionality if immediate patching is not possible
  • Review web server logs for evidence of past exploitation attempts

Patch Information

The vulnerability has been addressed by the plugin maintainers. The patch details can be found in the WordPress Changeset Update. Additional technical analysis is available in the Wordfence Vulnerability Report.

Users should update to version 7.2.5 or later which includes proper file type validation in the validate_product_input_fields_on_add_to_cart function.

Workarounds

  • Disable the product input fields module in Booster for WooCommerce settings until the plugin can be updated
  • Configure the web server to prevent execution of PHP files within the WordPress uploads directory using .htaccess or server configuration
  • Implement a web application firewall (WAF) rule to block file uploads with executable extensions to WooCommerce endpoints
  • Restrict file upload functionality at the server level by limiting allowed MIME types and extensions
bash
# Apache .htaccess configuration to prevent PHP execution in uploads
# Add to wp-content/uploads/.htaccess
<FilesMatch "\.(?:php|phtml|php[3-7]?)$">
    Require all denied
</FilesMatch>

# Nginx configuration alternative
# Add to server block
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.