CVE-2024-13343
Published: 01 February 2025
Summary
CVE-2024-13343 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Vanquish Woocommerce Customers Manager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-13343 is a privilege escalation vulnerability in the WooCommerce Customers Manager plugin for WordPress, caused by a missing capability check in the ajax_assign_new_roles() function. This issue affects all versions up to and including 31.3. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management) and CWE-862 (Missing Authorization).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation enables them to elevate their privileges to administrator level, providing potential full control over the affected WordPress site, including high impacts on confidentiality, integrity, and availability.
Advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/193c9fe9-17bc-47e7-b93d-dfcebcf8004d?source=cve provide further details. Security practitioners should review the plugin page at https://codecanyon.net/item/woocommerce-customers-manager/10965432 and update to any version beyond 31.3 if patches are available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51543
Vulnerability details
The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access…
more
and above, to elevate their privileges to that of an administrator.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization check enables authenticated privilege escalation from subscriber to administrator via plugin function.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to resources, directly mitigating the missing capability check in ajax_assign_new_roles() that allows privilege escalation.
Implements least privilege to restrict subscriber accounts from escalating to administrator roles via unauthorized functions.
Manages account provisioning and privilege assignments to prevent improper role elevations exploited by low-privilege authenticated users.