WordPress Plugin Vulnerabilities

Booster for WooCommerce < 7.1.9 - Unauthenticated Arbitrary Shortcode Execution

Description

The Booster for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 7.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide.

Affects Plugins

Plugin icon
woocommerce-jetpack
Fixed in 7.1.9

References

CVE
CVE-2024-3957
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1653de8f-62eb-488b-9e97-8b30221b509f

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
e5606be1-8256-45c1-88ee-44b9956276da

Timeline

Publicly Published
2024-05-01 (about 2 years ago)
Added
2024-05-01 (about 2 years ago)
Last Updated
2024-05-01 (about 2 years ago)

Other

Published
Title
Published
2025-09-26
Title
Norebro Extra <= 1.6.8 - Unauthenticated Arbitrary Shortcode Execution
Published
2026-05-01
Title
Widget Options < 4.2.3 - Contributor+ Remote Code Execution via Display Logic
Published
2026-03-23
Title
Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization < 8.2.8 - Authenticated (Editor+) Remote Code Execution
Published
2025-08-04
Title
Eventer < 3.11.2.2 - Unauthenticated Arbitrary Shortcode Execution
Published
2025-02-24
Title
Ohio Extra <= 3.4.7 - Unauthenticated Arbitrary Shortcode Execution