CVE-2024-13528

CVE-2024-13528 is an authentication bypass vulnerability affecting the Customer Email Verification for WooCommerce plugin for WordPress in all versions up to and including 2.9.5. The issue stems from a shortcode that generates a confirmation link using a placeholder email address, enabling improper verification logic (CWE-287). It has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact with low privileges required but high attack complexity.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability by generating a verification link for any unverified user account, allowing them to log in as that user. Exploitation requires the 'Fine tune placement' option to be enabled in the plugin settings, limiting the attack surface to configurations where this feature is active. Successful exploitation grants full access to the targeted account, potentially leading to unauthorized data access, modification, or other administrative actions depending on the site's roles.

Wordfence's threat intelligence advisory details the vulnerability and recommends updating the plugin to a patched version beyond 2.9.5. A fix is available in WordPress plugin changeset 3238136, which addresses the shortcode logic in class-alg-wc-ev-emails.php (previously vulnerable at line 151 in tag 2.9.2). Security practitioners should verify plugin configurations, disable unnecessary shortcodes if possible, and prioritize updates for WooCommerce sites with email verification enabled.