Booster for WooCommerce Vulnerability – Unauthenticated Arbitrary Shortcode Execution – CVE-2024-3957 | WordPress Plugin Vulnerability Report
Plugin Name: Booster for WooCommerce
Key Information:
- Software Type: Plugin
- Software Slug: woocommerce-jetpack
- Software Status: Active
- Software Author: pluggabl
- Software Downloads: 3,639,153
- Active Installs: 50,000
- Last Updated: May 1, 2024
- Patched Versions: 7.1.9
- Affected Versions: <= 7.1.8
Vulnerability Details:
- Name: Booster for WooCommerce <= 7.1.8 - Unauthenticated Arbitrary Shortcode Execution
- Type: Improper Control of Generation of Code ('Code Injection')
- CVE: CVE-2024-3957
- CVSS Score: 6.5 (Medium)
- Publicly Published: May 1, 2024
- Researcher: stealthcopter
- Description: The Booster for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 7.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide.
Summary:
The Booster for WooCommerce plugin for WordPress has a vulnerability in versions up to and including 7.1.8 that allows unauthenticated attackers to execute arbitrary shortcodes. This vulnerability has been patched in version 7.1.9.
Detailed Overview:
The vulnerability was discovered by security researcher stealthcopter and publicly disclosed on May 1, 2024. It is an Improper Control of Generation of Code ('Code Injection') vulnerability that allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability of this vulnerability depend on what other plugins are installed and what shortcode functionality they provide. The vulnerability has been assigned a CVSS score of 6.5 (Medium).
Advice for Users:
- Immediate Action: Users are strongly encouraged to update the Booster for WooCommerce plugin to version 7.1.9 or later to secure their WordPress installations.
- Check for Signs of Vulnerability: Users should review their site for any unexpected or suspicious activity, especially if they were running an affected version of the plugin.
- Alternate Plugins: While a patch is available, users might still consider plugins that over similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 7.1.9 or later to secure their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-jetpack
Detailed Report:
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.