CVE-2024-13708 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the Booster for WooCommerce plugin for WordPress, specifically versions from 4.0.1 through 7.2.4. The flaw arises from inadequate input sanitization and output escaping of SVG file uploads, which allows unauthenticated attackers to upload SVG files embedded with malicious JavaScript. When these SVG files are accessed by users, the embedded scripts execute, resulting in stored cross-site scripting (XSS). This type of XSS is particularly dangerous because the malicious payload is stored on the server and served to any user visiting the affected page, potentially leading to session hijacking, credential theft, or further exploitation of the victim’s browser. The vulnerability has a CVSS 3.1 base score of 7.2, indicating high severity, with an attack vector of network (no physical or local access required), low attack complexity, no privileges or user interaction needed, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. Although no public exploits have been reported yet, the vulnerability’s characteristics make it a prime target for attackers seeking to compromise WooCommerce-based e-commerce sites. The plugin’s popularity in the WordPress ecosystem increases the potential attack surface. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

The primary impact of CVE-2024-13708 is the compromise of confidentiality and integrity of affected WooCommerce sites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to theft of session cookies, user credentials, or other sensitive information. This can facilitate account takeover, unauthorized transactions, or further lateral movement within the victim’s environment. The stored nature of the XSS means that every user accessing the infected SVG file is at risk, amplifying the potential damage. For organizations relying on WooCommerce for e-commerce, this can result in loss of customer trust, financial losses, and reputational damage. Additionally, attackers could use the vulnerability as a foothold to deploy malware or conduct phishing campaigns targeting site visitors. Given the widespread use of WordPress and WooCommerce globally, the threat has a broad potential impact, especially on small to medium-sized businesses that may lack robust security monitoring.

To mitigate CVE-2024-13708, organizations should first check for and apply any official patches or updates released by the plugin vendor as soon as they become available. In the absence of a patch, immediate steps include disabling SVG file uploads within the Booster for WooCommerce plugin or restricting upload capabilities to trusted users only. Implementing a web application firewall (WAF) with rules to detect and block malicious SVG payloads can provide an additional layer of defense. Site administrators should also sanitize and validate all uploaded files rigorously, ensuring that SVG files do not contain embedded scripts or dangerous content. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Regular security audits and monitoring of upload directories for suspicious files are recommended. Finally, educating site users and administrators about the risks of untrusted file uploads and maintaining regular backups will aid in rapid recovery if exploitation occurs.