CVE-2024-13708 HIGH

CVE-2024-13708: Booster for WooCommerce 4.0.1 - 7.2.4 - Unauthenticated Stored Cross-Site Scripting

Vendor Pluggabl
Product Booster for WooCommerce
Weakness CWE-434 · Unrestricted file upload
Published April 4, 2025
Last update April 4, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions 4.0.1 to 7.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Explanation of Vulnerability in Simple Terms

02Summary

Booster for WooCommerce versions 4.0.1 through 7.2.4 allow unauthenticated attackers to upload files without restriction. An attacker can upload malicious files to the site over the network without needing to log in or interact with a user. This can lead to unauthorized file storage and potential site compromise.

What an attacker can do

03Attacker Capabilities

Upload files to the site without authentication or user interaction.

Potential impact on your site

04Site Impact

Attackers can upload malicious files, potentially leading to data theft, malware distribution, or site takeover.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 4, 2025 CVE published
April 4, 2025 Record updated