Cyber Resilience

CVE-2024-13694

High

Published: 30 January 2025

Published
30 January 2025
Modified
04 February 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 17.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13694 is a high-severity Improper Authorization (CWE-285) vulnerability in Moreconvert Woocommerce Wishlist. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13694 is an Insecure Direct Object Reference (IDOR) vulnerability affecting the WooCommerce Wishlist plugin for WordPress, which offers high customization, fast setup, free Elementor integration, and extensive features. The issue exists in all versions up to and including 1.8.7, stemming from insufficient validation of a user-controlled key in the download_pdf_file() function. This flaw is associated with CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the user-controlled key, they gain unauthorized access to download PDF files containing wishlist data belonging to other users, potentially exposing sensitive product details, user preferences, or other private information stored in wishlists.

References include Wordfence threat intelligence detailing the vulnerability, WordPress plugin trac browser links to the affected code in class-wlfmc-form-handler.php and class-wlfmc-wishlist.php, a patch in changeset 3229758, and the plugin's developer page on WordPress.org, recommending updates to mitigated versions for remediation.

EU & UK References

Vulnerability details

The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user…

more

controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

IDOR in public-facing WordPress plugin enables remote unauthenticated exploitation for unauthorized data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13558Same product class: WordPress / CMS plugin
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-7360Same product class: WordPress / CMS plugin
CVE-2024-13641Same product class: WordPress / CMS plugin
CVE-2024-13831Same product class: WordPress / CMS plugin
CVE-2024-13353Same product class: WordPress / CMS plugin
CVE-2025-24596Same product class: WordPress / CMS plugin
CVE-2024-13904Same product class: WordPress / CMS plugin

Affected Assets

moreconvert
woocommerce wishlist
≤ 1.8.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations on the user-controlled key in download_pdf_file(), preventing unauthenticated attackers from accessing other users' wishlist data via IDOR.

prevent

SI-10 requires validation of the user-controlled key to ensure it corresponds to data the unauthenticated requester is authorized to access, directly mitigating the authorization bypass.

prevent

SI-2 mandates timely remediation of the flaw in WooCommerce Wishlist plugin versions up to 1.8.7 by applying the patch that adds missing key validation.

References