Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56027

CVE-2026-56027: Booster for WooCommerce Path Traversal

CVE-2026-56027 is a path traversal flaw in Booster for WooCommerce allowing arbitrary file uploads. Affecting versions up to 8.0.1, this vulnerability poses serious security risks. Explore technical details and mitigations.

Published:

CVE-2026-56027 Overview

CVE-2026-56027 is an arbitrary file upload vulnerability in the Booster for WooCommerce WordPress plugin, affecting versions up to and including 8.0.1. The flaw allows authenticated users with customer-level privileges to upload arbitrary files to the WordPress host. The weakness is classified under CWE-434: Unrestricted Upload of File with Dangerous Type. Because a customer account is a low-privilege role typically obtainable through self-registration on WooCommerce stores, the attack surface is broad. Successful exploitation can lead to remote code execution, full site compromise, and pivoting into the underlying host.

Critical Impact

Authenticated customers can upload malicious files that lead to remote code execution on WordPress sites running Booster for WooCommerce <= 8.0.1.

Affected Products

  • Booster for WooCommerce plugin (woocommerce-jetpack) versions <= 8.0.1
  • WordPress sites with the plugin activated and open customer registration
  • WooCommerce storefronts relying on Booster for WooCommerce for extended functionality

Discovery Timeline

  • 2026-06-26 - CVE-2026-56027 published to NVD
  • 2026-06-26 - Last updated in NVD database

Technical Details for CVE-2026-56027

Vulnerability Analysis

The vulnerability exists in the file upload handling logic of Booster for WooCommerce. The plugin exposes an upload endpoint accessible to authenticated users holding the WooCommerce customer role. Input validation on uploaded content is insufficient, allowing files with dangerous extensions or MIME types to be written to the server file system. Since the customer role is widely accessible through standard account creation flows, the barrier to exploitation is low. Once a malicious file lands in a web-accessible directory, the attacker can request it to trigger server-side code execution. This chains a file upload weakness into a remote code execution primitive, giving the attacker control over the WordPress installation.

Root Cause

The root cause is unrestricted file upload handling [CWE-434]. The plugin fails to enforce a strict allowlist of file types, validate MIME content, or sanitize the resulting filename and storage path. Server-side checks that would reject executable content such as .php, .phtml, or .phar files are missing or bypassable. The scope change reflected in the CVSS vector (S:C) indicates the impact extends beyond the plugin itself into the hosting WordPress environment.

Attack Vector

An attacker registers a customer account on a vulnerable WooCommerce store or uses existing credentials. The attacker then issues a crafted HTTP request to the vulnerable Booster for WooCommerce upload endpoint, submitting a file containing PHP code. The file is written to a location under the WordPress uploads directory. The attacker then requests the uploaded file over HTTP, which executes the payload under the web server user. Additional details are available in the Patchstack Vulnerability Report.

Detection Methods for CVE-2026-56027

Indicators of Compromise

  • Files with executable extensions such as .php, .phtml, .phar, or .htaccess present under wp-content/uploads/ or plugin-specific upload directories
  • Unexpected HTTP POST requests from authenticated customer sessions to Booster for WooCommerce upload handlers
  • Newly created WordPress administrator accounts or modified wp-config.php timestamps following upload activity
  • Outbound network connections from the web server to unfamiliar IP addresses shortly after suspicious uploads

Detection Strategies

  • Inspect web server access logs for POST requests to Booster for WooCommerce upload endpoints originating from customer-role accounts
  • Perform integrity monitoring on the wp-content/uploads/ directory tree for files with server-executable extensions
  • Correlate WordPress audit logs of file uploads with subsequent GET requests to those files

Monitoring Recommendations

  • Enable file integrity monitoring on the WordPress document root and uploads directory
  • Forward web server, PHP-FPM, and WordPress plugin logs to a centralized analytics platform for correlation
  • Alert on creation of PHP files anywhere under wp-content/uploads/ since legitimate uploads should not contain executable code

How to Mitigate CVE-2026-56027

Immediate Actions Required

  • Update Booster for WooCommerce to a version later than 8.0.1 as soon as a fixed release is available from the vendor
  • Audit the wp-content/uploads/ directory for any unexpected executable files and remove them
  • Review and disable unused customer accounts, and enforce strong password requirements on customer registration
  • Rotate WordPress administrator credentials and secret keys in wp-config.php if compromise is suspected

Patch Information

Refer to the Patchstack Vulnerability Report for the latest patch status and fixed version guidance from the Booster for WooCommerce maintainers.

Workarounds

  • Temporarily deactivate the Booster for WooCommerce plugin until a patched release is deployed
  • Restrict customer registration to trusted users or place the storefront behind a web application firewall with file upload inspection
  • Configure the web server to deny execution of PHP files under wp-content/uploads/ using directory-level rules
bash
# Apache: block PHP execution in the WordPress uploads directory
# Place the following in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|phar|php7|php8)$">
    Require all denied
</FilesMatch>

# Nginx equivalent (server block)
location ~* /wp-content/uploads/.*\.(php|phtml|phar)$ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.