CVE-2024-13342 – The Booster for WooCommerce WordPress plugin al... (How to Fix)

Q: What is the severity of CVE-2024-13342?

CVE-2024-13342 has a CVSS score of 8.1 (HIGH). The Booster for WooCommerce WordPress plugin allows unauthenticated attackers to upload arbitrary files with double extensions due to missing file type validation. This vulnerability affects all versions up to 7.2.4 and can lead to remote code execution on servers configured to execute files based on the first extension. WordPress sites using this plugin are affected.

📋 TL;DR

The Booster for WooCommerce WordPress plugin allows unauthenticated attackers to upload arbitrary files with double extensions due to missing file type validation. This vulnerability affects all versions up to 7.2.4 and can lead to remote code execution on servers configured to execute files based on the first extension. WordPress sites using this plugin are affected.

💻 Affected Systems

Products:

Booster for WooCommerce WordPress plugin

Versions: All versions up to and including 7.2.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Exploitable only on servers configured to execute files based on the first extension in double extensions (e.g., .php.jpg).

📦 What is this software?

Booster For Woocommerce by Booster

View all CVEs affecting Booster For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

File upload leading to webshell deployment and limited server access.

🟢

If Mitigated

File upload blocked by server configuration or web application firewall.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires specific server configuration but is straightforward when conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.2.5

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3262569/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Booster for WooCommerce' and update to version 7.2.5 or later. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate woocommerce-jetpack

Web Application Firewall rule

all

Block requests to the vulnerable endpoint.

Block POST requests to /wp-admin/admin-ajax.php?action=wcj_add_files_to_order

🧯 If You Can't Patch

Disable the Booster for WooCommerce plugin immediately
Implement strict file upload restrictions at the web server level

🔍 How to Verify

Check if Vulnerable:

Check WordPress plugin version: wp plugin get woocommerce-jetpack --field=version

Check Version:

wp plugin get woocommerce-jetpack --field=version

Verify Fix Applied:

Confirm plugin version is 7.2.5 or higher: wp plugin get woocommerce-jetpack --field=version

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with action=wcj_add_files_to_order
File uploads with double extensions (.php.jpg, .php.png)

Network Indicators:

Unusual file uploads to WordPress admin-ajax endpoint
POST requests with file uploads from unauthenticated sources

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="action=wcj_add_files_to_order" AND method="POST"

📊 Metadata

CVE ID: CVE-2024-13342

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 0.26% exploit probability (49.2th percentile)

Published: August 29, 2025

Last Updated: December 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13342, you might also want to check these: