CVE-2024-13315
Published: 18 February 2025
Description
The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. This is due to missing or incorrect nonce validation on the save_setting() function. This makes it possible for unauthenticated attackers to update arbitrary options and achieve privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Security Summary
CVE-2024-13315 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress in all versions up to and including 1.0.11. The flaw arises from missing or incorrect nonce validation in the save_setting() function, enabling unauthorized modifications through forged requests. Published on 2025-02-18, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link. Upon success, attackers can update arbitrary options in the plugin, resulting in privilege escalation on the targeted WordPress site.
Advisories point to mitigation through updating the Shopwarden plugin beyond version 1.0.11. Key resources include the vulnerable code in shopwarden.php at line 112 (https://plugins.trac.wordpress.org/browser/shopwarden/trunk/shopwarden.php#L112), the related changeset for the fix (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3238978%40shopwarden&new=3238978%40shopwarden&sfp_email=&sfph_mail=), and Wordfence's threat intelligence details (https://www.wordfence.com/threat-intel/vulnerabilities/id/b11ed628-f736-4262-80a2-62b32948a3a4?source=cve).
Details
- CWE(s)