CVE-2024-13694
Published: 30 January 2025
Summary
CVE-2024-13694 is a high-severity Improper Authorization (CWE-285) vulnerability in Moreconvert Woocommerce Wishlist. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations on the user-controlled key in download_pdf_file(), preventing unauthenticated attackers from accessing other users' wishlist data via IDOR.
SI-10 requires validation of the user-controlled key to ensure it corresponds to data the unauthenticated requester is authorized to access, directly mitigating the authorization bypass.
SI-2 mandates timely remediation of the flaw in WooCommerce Wishlist plugin versions up to 1.8.7 by applying the patch that adds missing key validation.
NVD Description
The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user…
more
controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.
Deeper analysisAI
CVE-2024-13694 is an Insecure Direct Object Reference (IDOR) vulnerability affecting the WooCommerce Wishlist plugin for WordPress, which offers high customization, fast setup, free Elementor integration, and extensive features. The issue exists in all versions up to and including 1.8.7, stemming from insufficient validation of a user-controlled key in the download_pdf_file() function. This flaw is associated with CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the user-controlled key, they gain unauthorized access to download PDF files containing wishlist data belonging to other users, potentially exposing sensitive product details, user preferences, or other private information stored in wishlists.
References include Wordfence threat intelligence detailing the vulnerability, WordPress plugin trac browser links to the affected code in class-wlfmc-form-handler.php and class-wlfmc-wishlist.php, a patch in changeset 3229758, and the plugin's developer page on WordPress.org, recommending updates to mitigated versions for remediation.
Details
- CWE(s)