Volerion logoVolerion
Volerion logoVolerion

Booster for WooCommerce WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the Booster for WooCommerce plugin for WordPress, affecting all versions through 7.2.4. The issue arises from inadequate file type validation in the 'add_files_to_order' function. This vulnerability enables unauthenticated attackers to upload files with double extensions to the server, potentially leading to remote code execution, depending on the server's configuration.

Impact

Exploitation of this vulnerability could allow for arbitrary file uploads, with the potential for remote code execution if the uploaded file is executed by the server.

Reproduction

The vulnerability can be reproduced by uploading a file through the WooCommerce checkout files upload feature, available in versions of the Booster for WooCommerce plugin prior to 7.2.5. The uploaded file can have a double extension, such as '.php.jpg', which may be executed as a PHP file under certain server configurations.

Remediation

Users are advised to update the Booster for WooCommerce plugin to version 7.2.5 or later.

Added: Aug 29, 2025, 11:19 AM
Updated: Aug 29, 2025, 11:19 AM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
10.0
exploitability
7.4
remediation
7.7
relevance
0.4
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.