Introduction
Attackers can upload arbitrary files to vulnerable e-commerce sites running Booster for WooCommerce, potentially achieving remote code execution without authentication. This flaw impacts thousands of WordPress installations using a plugin that is central to many online stores' checkout and order management workflows.
Booster for WooCommerce is a feature-rich WordPress plugin with over 80 modules, widely used to extend WooCommerce functionality. Its broad adoption in the e-commerce sector means vulnerabilities can have significant downstream effects on online businesses and their customers.
Technical Information
CVE-2024-13342 is an arbitrary file upload vulnerability in the 'add_files_to_order' function of Booster for WooCommerce, affecting all versions up to and including 7.2.4. The vulnerability arises from missing file type validation when processing user-supplied uploads attached to orders. Specifically, the plugin does not enforce a whitelist of allowed file types and fails to perform adequate MIME type checks. This allows attackers to upload files with double extensions (such as shell.php.jpg).
On certain server configurations, particularly those that execute files based on the first extension, an uploaded file like malicious.php.jpg may be interpreted and executed as PHP code. This can lead to full remote code execution on the affected server.
The vulnerability is unauthenticated, meaning any user can exploit it without needing credentials. The root cause is a lack of robust input validation and insecure handling of uploaded files in the following function:
This issue is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Affected Systems and Versions
- Product: Booster for WooCommerce plugin for WordPress
- Affected versions: All versions up to and including 7.2.4
- Vulnerable function: 'add_files_to_order'
- Vulnerable configurations: Servers that execute files based on the first extension in a double extension filename (e.g.,
file.php.jpg)
Vendor Security History
Booster for WooCommerce (Pluggabl) has experienced multiple similar vulnerabilities:
- CVE-2024-12278: Stored XSS in versions up to 7.2.5
- CVE-2024-13744: Arbitrary file upload in versions 4.0.1 through 7.2.4
- CVE-2024-1986: Arbitrary file upload in Booster Elite for WooCommerce up to 7.1.7
This pattern suggests recurring issues with secure file handling and input validation. While the vendor has responded to disclosures and issued patches, the frequency of such vulnerabilities indicates a need for more robust security development practices.