Stored Cross-Site Scripting in Booster for WooCommerce Plugin by WordPress
CVE-2024-13708

7.2HIGH

Key Information:

Vendor: WordPress
Status: Booster For WooCommerce
Vendor: CVE Published:; 4 April 2025

What is CVE-2024-13708?

The Booster for WooCommerce plugin for WordPress has a vulnerability that allows stored cross-site scripting (XSS) through SVG file uploads. This issue arises from inadequate sanitization of user inputs and ineffective output escaping, permitting unauthenticated attackers to upload malicious scripts. When users access the infected SVG files, these scripts can execute, leading to potential data compromise and security breaches.

Affected Version(s)

Booster for WooCommerce 4.0.1 <= 7.2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-je...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2025
Vulnerability Reserved
Jan 24, 2025

Credit

lucky_buddy