CVE-2024-13558
Published: 20 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13558 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the NP Quote Request for WooCommerce plugin for WordPress in all versions up to and including 1.9.179. The issue stems from missing validation on a user-controlled key, which exposes the content of quote requests. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges required.
Unauthenticated attackers can exploit this vulnerability remotely by manipulating the user-controlled key to access quote request content belonging to other users. No user interaction or privileges are needed, enabling arbitrary disclosure of sensitive quote data across the site.
WordPress plugin trac changeset 3256816 addresses the issue, with additional details available on the plugin's developers page and Wordfence threat intelligence advisory. Site operators should update the plugin beyond version 1.9.179 to mitigate the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
IDOR vulnerability in public-facing WordPress plugin enables remote unauthenticated exploitation of internet-facing application for data access.