CVE-2024-13342 HIGH

CVE-2024-13342: Booster for WooCommerce <= 7.2.4 - Unauthenticated Double Extension Arbitrary File Upload

Vendor Pluggabl
Product Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools
Weakness CWE-434 · Unrestricted file upload
Published August 29, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.

Explanation of Vulnerability in Simple Terms

02Summary

The Booster for WooCommerce plugin versions up to 7.2.4 contain an unrestricted file upload vulnerability. An attacker can upload malicious files to the site without proper validation, potentially leading to remote code execution. The vulnerability requires specific conditions to exploit but can result in complete site compromise. Update to a version newer than 7.2.4 immediately.

What an attacker can do

03Attacker Capabilities

Upload malicious files to the site and execute arbitrary code on the server.

Potential impact on your site

04Site Impact

An attacker could take full control of your site, steal data, modify content, or use it to attack visitors.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required, but exploitation may require specific conditions.

Key dates

06Disclosure timeline

August 29, 2025 CVE published
April 8, 2026 Record updated