CVE-2024-1986: 
WordPress vulnerability analysis and mitigation

The Booster Elite for WooCommerce plugin for WordPress contains an arbitrary file upload vulnerability (CVE-2024-1986) in versions up to and including 7.1.7. The vulnerability exists in the wcaddnew_product() function due to missing file type validation, affecting sites with enabled user product upload functionality (NVD).

The vulnerability stems from inadequate file type validation in the wcaddnew_product() function, which allows customer-level users and above to upload arbitrary files to the affected site's server. The vulnerability has received a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Wordfence).

The vulnerability could potentially lead to remote code execution on the affected server when exploited successfully. This poses a significant security risk as attackers could gain unauthorized access to the server and execute malicious code (NVD).

Site administrators should update the Booster Elite for WooCommerce plugin to a version newer than 7.1.7. If immediate updating is not possible, it is recommended to disable the user product upload functionality until the update can be applied (Booster).