Unrated severityNVD Advisory· Published Aug 29, 2025· Updated Apr 8, 2026

Booster for WooCommerce <= 7.2.4 - Unauthenticated Double Extension Arbitrary File Upload

CVE-2024-13342

Description

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.

Affected products

Booster/Booster For Woocommercellm-fuzzy
Range: <=7.2.4
pluggabl/Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Toolsv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000