CVE-2024-13744 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the Booster for WooCommerce plugin for WordPress, specifically versions 4.0.1 through 7.2.4. The root cause is the lack of proper file type validation in the function validate_product_input_fields_on_add_to_cart, which is responsible for handling product input fields during the add-to-cart process. This flaw allows unauthenticated attackers to upload arbitrary files to the server hosting the WordPress site. Because the uploaded files are not properly validated, attackers can upload malicious scripts or executables, potentially leading to remote code execution (RCE). The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity, with attack vector being network (remote), no privileges required, no user interaction needed, but with high attack complexity. The scope is unchanged, but the impact on confidentiality, integrity, and availability is high. No patches or exploit code are currently publicly available, but the risk remains significant given the widespread use of WooCommerce and its plugins in e-commerce environments.

The exploitation of this vulnerability could allow attackers to gain unauthorized access to the affected web server, execute arbitrary code, and potentially take full control over the WordPress site and underlying infrastructure. This could lead to data breaches, defacement, insertion of backdoors, theft of customer information, disruption of e-commerce operations, and further lateral movement within the victim's network. Given WooCommerce’s popularity in online retail, compromised sites could also be used to distribute malware to customers or conduct fraudulent transactions. The impact extends beyond the website to the organization's reputation, customer trust, and compliance with data protection regulations. The high CVSS score reflects the critical nature of these potential consequences.

Organizations should immediately verify if they are running affected versions of the Booster for WooCommerce plugin (4.0.1 to 7.2.4) and upgrade to the latest patched version once available. In the absence of an official patch, administrators should implement strict file upload restrictions at the web server or application firewall level, such as blocking executable file types and restricting upload directories. Employing a Web Application Firewall (WAF) with rules to detect and block suspicious file uploads can reduce risk. Additionally, disable or limit the add-to-cart custom input fields if not required. Regularly audit and monitor file upload directories for unauthorized files. Harden the WordPress environment by restricting PHP execution in upload directories and ensuring least privilege permissions on the server. Conduct thorough incident response readiness and backup critical data to enable recovery in case of compromise.