CVE-2024-13315
Published: 18 February 2025
Summary
CVE-2024-13315 is a high-severity CSRF (CWE-352) vulnerability in Shopwarden Shopwarden. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13315 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress in all versions up to and including 1.0.11. The flaw arises from missing or incorrect nonce validation in the save_setting() function, enabling unauthorized modifications through forged requests. Published on 2025-02-18, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link. Upon success, attackers can update arbitrary options in the plugin, resulting in privilege escalation on the targeted WordPress site.
Advisories point to mitigation through updating the Shopwarden plugin beyond version 1.0.11. Key resources include the vulnerable code in shopwarden.php at line 112 (https://plugins.trac.wordpress.org/browser/shopwarden/trunk/shopwarden.php#L112), the related changeset for the fix (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3238978%40shopwarden&new=3238978%40shopwarden&sfp_email=&sfph_mail=), and Wordfence's threat intelligence details (https://www.wordfence.com/threat-intel/vulnerabilities/id/b11ed628-f736-4262-80a2-62b32948a3a4?source=cve).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4827
Vulnerability details
The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. This is due to missing or incorrect nonce validation on the save_setting() function. This makes…
more
it possible for unauthenticated attackers to update arbitrary options and achieve privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF allows forged option updates leading directly to privilege escalation on the WordPress site.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of information inputs, directly addressing the missing nonce validation in the save_setting() function that enables CSRF exploitation.
SC-23 requires mechanisms to protect session authenticity, mitigating CSRF attacks that forge requests on behalf of authenticated administrators.
SI-2 requires timely identification, reporting, and correction of flaws, such as patching the Shopwarden plugin beyond version 1.0.11 to eliminate the CSRF vulnerability.