CVE-2024-1986 – The Booster Elite for WooCommerce WordPress plu... (How to Fix)

Q: What is the severity of CVE-2024-1986?

CVE-2024-1986 has a CVSS score of 8.8 (HIGH). The Booster Elite for WooCommerce WordPress plugin allows arbitrary file uploads due to missing file type validation in the wc_add_new_product() function. This enables customer-level attackers to upload malicious files, potentially leading to remote code execution. The vulnerability affects all versions up to 7.1.7 when user product upload functionality is enabled.

📋 TL;DR

The Booster Elite for WooCommerce WordPress plugin allows arbitrary file uploads due to missing file type validation in the wc_add_new_product() function. This enables customer-level attackers to upload malicious files, potentially leading to remote code execution. The vulnerability affects all versions up to 7.1.7 when user product upload functionality is enabled.

💻 Affected Systems

Products:

Booster Elite for WooCommerce WordPress plugin

Versions: All versions up to and including 7.1.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when user product upload functionality is enabled in plugin settings.

📦 What is this software?

Booster For Woocommerce by Booster

View all CVEs affecting Booster For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Malicious file upload leading to website defacement, malware distribution, or limited server access.

🟢

If Mitigated

File upload attempts logged and blocked with proper validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires customer-level authentication. Exploitation is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.8 or later

Vendor Advisory: https://booster.io/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Booster Elite for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable User Product Uploads

all

Temporarily disable the vulnerable user product upload functionality in plugin settings.

Web Application Firewall Rule

all

Block file uploads to the vulnerable endpoint using WAF rules.

🧯 If You Can't Patch

Disable the Booster Elite plugin completely until patched
Implement strict file upload restrictions at web server level

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Booster Elite version. If version is 7.1.7 or earlier and user product uploads are enabled, system is vulnerable.

Check Version:

wp plugin list --name='Booster Elite for WooCommerce' --field=version

Verify Fix Applied:

Verify plugin version is 7.1.8 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to product submission endpoints
PHP or executable files uploaded via product forms
Multiple failed upload attempts with unusual file extensions

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with file upload parameters
Unusual file uploads to WooCommerce product endpoints

SIEM Query:

source="web_server" AND (uri_path="*admin-ajax.php*" OR uri_path="*wcj-products-add-form*") AND method="POST" AND file_upload="true"

📊 Metadata

CVE ID: CVE-2024-1986

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: March 7, 2024

Last Updated: March 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1986, you might also want to check these: