Cyber Resilience

CVE-2024-13343

High

Published: 01 February 2025

Published
01 February 2025
Modified
24 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13343 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Vanquish Woocommerce Customers Manager. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-13343 is a privilege escalation vulnerability in the WooCommerce Customers Manager plugin for WordPress, caused by a missing capability check in the ajax_assign_new_roles() function. This issue affects all versions up to and including 31.3. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management) and CWE-862 (Missing Authorization).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation enables them to elevate their privileges to administrator level, providing potential full control over the affected WordPress site, including high impacts on confidentiality, integrity, and availability.

Advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/193c9fe9-17bc-47e7-b93d-dfcebcf8004d?source=cve provide further details. Security practitioners should review the plugin page at https://codecanyon.net/item/woocommerce-customers-manager/10965432 and update to any version beyond 31.3 if patches are available.

EU & UK References

Vulnerability details

The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access…

more

and above, to elevate their privileges to that of an administrator.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization check enables authenticated privilege escalation from subscriber to administrator via plugin function.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-10591Same product class: WordPress / CMS plugin
CVE-2024-12129Same product class: WordPress / CMS plugin
CVE-2025-22786Same product class: WordPress / CMS plugin
CVE-2025-7341Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-14457Same product class: WordPress / CMS plugin
CVE-2025-24596Same product class: WordPress / CMS plugin
CVE-2024-13528Same product class: WordPress / CMS plugin
CVE-2024-13835Shared CWE-269
CVE-2025-36640Shared CWE-269

Affected Assets

vanquish
woocommerce customers manager
≤ 31.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to resources, directly mitigating the missing capability check in ajax_assign_new_roles() that allows privilege escalation.

prevent

Implements least privilege to restrict subscriber accounts from escalating to administrator roles via unauthorized functions.

prevent

Manages account provisioning and privilege assignments to prevent improper role elevations exploited by low-privilege authenticated users.

References