Cyber Resilience

CVE-2024-13342

High

Published: 29 August 2025

Published
29 August 2025
Modified
08 December 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0060 70.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13342 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Booster Booster For Woocommerce. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13342 is an arbitrary file upload vulnerability in the Booster for WooCommerce plugin for WordPress, stemming from missing file type validation in the 'add_files_to_order' function. It affects all versions up to and including 7.2.4. The flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential high impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this over the network by uploading arbitrary files with double extensions to the affected site's server. While this may enable remote code execution, exploitation is limited to select instances where server configurations execute files based on the first extension present, contributing to the high attack complexity (AC:H) rating.

Advisories reference the vulnerable code in class-wcj-checkout-files-upload.php at line 452 and a patch in WordPress plugin changeset 3262569. Security practitioners should update to a version beyond 7.2.4 via the WordPress plugin repository, as detailed in the Wordfence threat intelligence report, to mitigate the issue.

EU & UK References

Vulnerability details

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload…

more

arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1036.007 Double File Extension Stealth
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type.
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin directly enables T1190 exploitation and T1505.003 web shell deployment; double-extension bypass maps to T1036.007 masquerading.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13359Same product class: WordPress / CMS plugin
CVE-2024-8425Same product class: WordPress / CMS plugin
CVE-2025-7340Same product class: WordPress / CMS plugin
CVE-2025-1661Same product class: WordPress / CMS plugin
CVE-2024-13545Same product class: WordPress / CMS plugin
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2024-13694Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-7360Same product class: WordPress / CMS plugin

Affected Assets

booster
booster for woocommerce
≤ 7.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely flaw remediation by patching the Booster for WooCommerce plugin beyond version 7.2.4 to fix the missing file type validation.

prevent

Mandates information input validation mechanisms at file upload points to block arbitrary files with dangerous double extensions like those exploited in this CVE.

prevent

Enforces input restrictions at system boundaries to limit file uploads to safe types, preventing unauthenticated arbitrary file uploads via the vulnerable add_files_to_order function.

References