CVE-2024-29760 – This reflected cross-site scripting (XSS) vulne... (How to Fix)

Q: What is the severity of CVE-2024-29760?

CVE-2024-29760 has a CVSS score of 7.1 (HIGH). This reflected cross-site scripting (XSS) vulnerability in Booster for WooCommerce allows attackers to inject malicious scripts into web pages viewed by other users. It affects WordPress sites using the Booster for WooCommerce plugin. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This reflected cross-site scripting (XSS) vulnerability in Booster for WooCommerce allows attackers to inject malicious scripts into web pages viewed by other users. It affects WordPress sites using the Booster for WooCommerce plugin. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

Booster for WooCommerce (WordPress plugin)

Versions: All versions up to and including 7.1.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin activated. Requires user interaction (clicking malicious link).

📦 What is this software?

Booster For Woocommerce by Booster

View all CVEs affecting Booster For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the WordPress site, install backdoors, steal customer data, or deface the website.

🟠

Likely Case

Attackers steal user session cookies, redirect users to phishing sites, or perform unauthorized actions in the context of logged-in users.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before reaching users, preventing exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires user interaction but is easy to exploit via phishing. No public proof-of-concept found.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.8

Vendor Advisory: https://patchstack.com/database/vulnerability/woocommerce-jetpack/wordpress-booster-for-woocommerce-plugin-7-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Booster for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 7.1.8+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable Booster for WooCommerce plugin until patched

wp plugin deactivate woocommerce-jetpack

Implement WAF rules

all

Add web application firewall rules to block XSS payloads

ModSecurity: SecRule ARGS "<script" "id:1001,phase:2,deny"

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Use browser security features like HttpOnly cookies and SameSite attributes

🔍 How to Verify

Check if Vulnerable:

Check WordPress plugin version in admin panel or via wp-cli: wp plugin get woocommerce-jetpack --field=version

Check Version:

wp plugin get woocommerce-jetpack --field=version

Verify Fix Applied:

Confirm plugin version is 7.1.8 or higher and test input fields for proper sanitization

📡 Detection & Monitoring

Log Indicators:

Unusual GET/POST requests with script tags in parameters
Multiple failed XSS attempts in web server logs

Network Indicators:

HTTP requests containing <script>, javascript:, or encoded XSS payloads in query strings

SIEM Query:

source="web_server" AND ("<script" OR "javascript:" OR "%3Cscript") AND uri="*booster*"

📊 Metadata

CVE ID: CVE-2024-29760

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: March 27, 2024

Last Updated: February 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29760, you might also want to check these: