Description
Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions.
Published: 2026-06-26
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated or unauthenticated attacker to upload files of any type through the Booster for WooCommerce plugin, enabling the placement of executable code on the web server. If the uploaded file is designed as a web shell or contains malicious payloads, the attacker can achieve full control over the affected WordPress installation, compromising confidentiality, integrity, and availability. The weakness is classified as CWE‑434, indicating an improper handling of file uploads.

Affected Systems

All WordPress sites running the Booster for WooCommerce plugin version 8.0.1 or earlier are affected. The vulnerability is present in any instance where the plugin's file upload functionality is reachable by a potential attacker, regardless of the WordPress theme or other plugins in use.

Risk and Exploitability

The CVSS score of 9.9 signals a critical severity and indicates that exploitation is likely to result in remote code execution. Although an EPSS score is not available, the high CVSS suggests the vulnerability is actively exploitable in the wild. The plugin is not listed in the CISA KEV catalog, but the arbitrary file upload still represents a substantial risk. The attack vector is inferred to be a web-based file upload endpoint exposed by the plugin, which can be abused without requiring privileged credentials, depending on the site’s configuration.

Generated by OpenCVE AI on June 26, 2026 at 17:49 UTC.

Remediation

Vendor Solution

Update the WordPress Booster for WooCommerce Plugin to the latest available version (at least 8.0.2).

OpenCVE Recommended Actions

  • Update the Booster for WooCommerce plugin to version 8.0.2 or later.
  • Restrict file upload permissions by disabling the endpoint for unauthenticated users or limiting it to specific roles.
  • Implement a Web Application Firewall rule or upload filter to accept only safe file types and reject potentially malicious uploads.

Generated by OpenCVE AI on June 26, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Pluggabl
Pluggabl booster For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Pluggabl
Pluggabl booster For Woocommerce
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions.
Title WordPress Booster for WooCommerce plugin <= 8.0.1 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Pluggabl Booster For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:49:48.450Z

Reserved: 2026-06-18T14:37:29.429Z

Link: CVE-2026-56027

cve-icon Vulnrichment

Updated: 2026-06-26T15:49:44.304Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T19:15:03Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type