Cyber Resilience

CVE-2024-13558

High

Published: 20 March 2025

Published
20 March 2025
Modified
27 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0015 35.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13558 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Neahplugins Np Quote Request For Woocommerce. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13558 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the NP Quote Request for WooCommerce plugin for WordPress in all versions up to and including 1.9.179. The issue stems from missing validation on a user-controlled key, which exposes the content of quote requests. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges required.

Unauthenticated attackers can exploit this vulnerability remotely by manipulating the user-controlled key to access quote request content belonging to other users. No user interaction or privileges are needed, enabling arbitrary disclosure of sensitive quote data across the site.

WordPress plugin trac changeset 3256816 addresses the issue, with additional details available on the plugin's developers page and Wordfence threat intelligence advisory. Site operators should update the plugin beyond version 1.9.179 to mitigate the vulnerability.

EU & UK References

Vulnerability details

The NP Quote Request for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.179 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers…

more

to read the content of quote requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

IDOR vulnerability in public-facing WordPress plugin enables remote unauthenticated exploitation of internet-facing application for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7360Same product class: WordPress / CMS plugin
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2024-13694Same product class: WordPress / CMS plugin
CVE-2025-24596Same product class: WordPress / CMS plugin
CVE-2024-13904Same product class: WordPress / CMS plugin
CVE-2025-1441Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2024-13641Same product class: WordPress / CMS plugin
CVE-2024-50693Shared CWE-639

Affected Assets

neahplugins
np quote request for woocommerce
≤ 1.9.180

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to quote requests, directly preventing IDOR exploitation via missing validation on user-controlled keys.

prevent

Requires validation of user-controlled inputs like the key parameter to ensure only authorized quote request content is accessed.

prevent

Mandates timely flaw remediation by updating the vulnerable NP Quote Request plugin beyond version 1.9.179 to fix the IDOR issue.

References