CVE-2024-13528
Published: 12 February 2025
Summary
CVE-2024-13528 is a high-severity Improper Authentication (CWE-287) vulnerability in Wpfactory Customer Email Verification For Woocommerce. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in the plugin's shortcode logic that uses a placeholder email directly eliminates the authentication bypass vulnerability.
Establishing and monitoring secure configuration settings for the plugin, such as disabling the 'Fine tune placement' option, prevents exploitation of the vulnerable shortcode.
Restricting the plugin to least functionality by prohibiting unnecessary shortcodes or features limits the attack surface for generating unauthorized verification links.
NVD Description
The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.9.5. This is due to the presence of a shortcode that will generate a confirmation link with a placeholder…
more
email. This makes it possible for authenticated attackers, with Contributor-level access and above, to generate a verification link for any unverified user and log into the account. The 'Fine tune placement' option must be enabled in the plugin settings in order to exploit the vulnerability.
Deeper analysisAI
CVE-2024-13528 is an authentication bypass vulnerability affecting the Customer Email Verification for WooCommerce plugin for WordPress in all versions up to and including 2.9.5. The issue stems from a shortcode that generates a confirmation link using a placeholder email address, enabling improper verification logic (CWE-287). It has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact with low privileges required but high attack complexity.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability by generating a verification link for any unverified user account, allowing them to log in as that user. Exploitation requires the 'Fine tune placement' option to be enabled in the plugin settings, limiting the attack surface to configurations where this feature is active. Successful exploitation grants full access to the targeted account, potentially leading to unauthorized data access, modification, or other administrative actions depending on the site's roles.
Wordfence's threat intelligence advisory details the vulnerability and recommends updating the plugin to a patched version beyond 2.9.5. A fix is available in WordPress plugin changeset 3238136, which addresses the shortcode logic in class-alg-wc-ev-emails.php (previously vulnerable at line 151 in tag 2.9.2). Security practitioners should verify plugin configurations, disable unnecessary shortcodes if possible, and prioritize updates for WooCommerce sites with email verification enabled.
Details
- CWE(s)