Cyber Resilience

CVE-2024-13315

High

Published: 18 February 2025

Published
18 February 2025
Modified
21 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13315 is a high-severity CSRF (CWE-352) vulnerability in Shopwarden Shopwarden. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13315 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress in all versions up to and including 1.0.11. The flaw arises from missing or incorrect nonce validation in the save_setting() function, enabling unauthorized modifications through forged requests. Published on 2025-02-18, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link. Upon success, attackers can update arbitrary options in the plugin, resulting in privilege escalation on the targeted WordPress site.

Advisories point to mitigation through updating the Shopwarden plugin beyond version 1.0.11. Key resources include the vulnerable code in shopwarden.php at line 112 (https://plugins.trac.wordpress.org/browser/shopwarden/trunk/shopwarden.php#L112), the related changeset for the fix (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3238978%40shopwarden&new=3238978%40shopwarden&sfp_email=&sfph_mail=), and Wordfence's threat intelligence details (https://www.wordfence.com/threat-intel/vulnerabilities/id/b11ed628-f736-4262-80a2-62b32948a3a4?source=cve).

EU & UK References

Vulnerability details

The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. This is due to missing or incorrect nonce validation on the save_setting() function. This makes…

more

it possible for unauthenticated attackers to update arbitrary options and achieve privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CSRF allows forged option updates leading directly to privilege escalation on the WordPress site.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2016-20034Shared CWE-352
CVE-2025-23530Shared CWE-352
CVE-2025-27276Shared CWE-352
CVE-2026-30793Shared CWE-352
CVE-2025-23532Shared CWE-352
CVE-2025-25928Shared CWE-352
CVE-2025-55041Shared CWE-352
CVE-2025-27012Shared CWE-352
CVE-2025-26206Shared CWE-352
CVE-2025-23797Shared CWE-352

Affected Assets

shopwarden
shopwarden
≤ 1.0.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of information inputs, directly addressing the missing nonce validation in the save_setting() function that enables CSRF exploitation.

prevent

SC-23 requires mechanisms to protect session authenticity, mitigating CSRF attacks that forge requests on behalf of authenticated administrators.

prevent

SI-2 requires timely identification, reporting, and correction of flaws, such as patching the Shopwarden plugin beyond version 1.0.11 to eliminate the CSRF vulnerability.

References