What the vulnerability does
01Description
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions 4.0.1 to 7.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Explanation of Vulnerability in Simple Terms
02Summary
Booster for WooCommerce versions 4.0.1 through 7.2.4 allow unauthenticated attackers to upload files without restriction. An attacker can upload malicious files to the site over the network without needing to log in or interact with a user. This can lead to unauthorized file storage and potential site compromise.
What an attacker can do
03Attacker Capabilities
Upload files to the site without authentication or user interaction.
Potential impact on your site
04Site Impact
Attackers can upload malicious files, potentially leading to data theft, malware distribution, or site takeover.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 4, 2025
CVE published
April 4, 2025
Record updated