CVE-2024-13342
Published: 29 August 2025
Summary
CVE-2024-13342 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Booster Booster For Woocommerce. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13342 is an arbitrary file upload vulnerability in the Booster for WooCommerce plugin for WordPress, stemming from missing file type validation in the 'add_files_to_order' function. It affects all versions up to and including 7.2.4. The flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential high impacts on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this over the network by uploading arbitrary files with double extensions to the affected site's server. While this may enable remote code execution, exploitation is limited to select instances where server configurations execute files based on the first extension present, contributing to the high attack complexity (AC:H) rating.
Advisories reference the vulnerable code in class-wcj-checkout-files-upload.php at line 452 and a patch in WordPress plugin changeset 3262569. Security practitioners should update to a version beyond 7.2.4 via the WordPress plugin repository, as detailed in the Wordfence threat intelligence report, to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54930
Vulnerability details
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload…
more
arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin directly enables T1190 exploitation and T1505.003 web shell deployment; double-extension bypass maps to T1036.007 masquerading.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely flaw remediation by patching the Booster for WooCommerce plugin beyond version 7.2.4 to fix the missing file type validation.
Mandates information input validation mechanisms at file upload points to block arbitrary files with dangerous double extensions like those exploited in this CVE.
Enforces input restrictions at system boundaries to limit file uploads to safe types, preventing unauthenticated arbitrary file uploads via the vulnerable add_files_to_order function.