CVE-2024-13343
Published: 01 February 2025
Description
The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Security Summary
CVE-2024-13343 is a privilege escalation vulnerability in the WooCommerce Customers Manager plugin for WordPress, caused by a missing capability check in the ajax_assign_new_roles() function. This issue affects all versions up to and including 31.3. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management) and CWE-862 (Missing Authorization).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation enables them to elevate their privileges to administrator level, providing potential full control over the affected WordPress site, including high impacts on confidentiality, integrity, and availability.
Advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/193c9fe9-17bc-47e7-b93d-dfcebcf8004d?source=cve provide further details. Security practitioners should review the plugin page at https://codecanyon.net/item/woocommerce-customers-manager/10965432 and update to any version beyond 31.3 if patches are available.
Details
- CWE(s)