CVE-2024-13558

High

Published: 20 March 2025

Published

20 March 2025

Modified

27 March 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0015 34.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13558 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Neahplugins Np Quote Request For Woocommerce. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to quote requests, directly preventing IDOR exploitation via missing validation on user-controlled keys.

SI-10 Information Input Validation good match

prevent

Requires validation of user-controlled inputs like the key parameter to ensure only authorized quote request content is accessed.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation by updating the vulnerable NP Quote Request plugin beyond version 1.9.179 to fix the IDOR issue.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

IDOR vulnerability in public-facing WordPress plugin enables remote unauthenticated exploitation of internet-facing application for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The NP Quote Request for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.179 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers…

to read the content of quote requests.

Deeper analysisAI

CVE-2024-13558 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the NP Quote Request for WooCommerce plugin for WordPress in all versions up to and including 1.9.179. The issue stems from missing validation on a user-controlled key, which exposes the content of quote requests. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges required.

Unauthenticated attackers can exploit this vulnerability remotely by manipulating the user-controlled key to access quote request content belonging to other users. No user interaction or privileges are needed, enabling arbitrary disclosure of sensitive quote data across the site.

WordPress plugin trac changeset 3256816 addresses the issue, with additional details available on the plugin's developers page and Wordfence threat intelligence advisory. Site operators should update the plugin beyond version 1.9.179 to mitigate the vulnerability.