CVE-2024-13343

Published: Feb 1, 2025Modified: Feb 24, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: security@wordfence.com (Secondary)

Description

The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

Affected (1)

Products: Vanquish: Woocommerce Customers Manager

1 product

Woocommerce Customers Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Vanquish Woocommerce Customers Manager	Before 31.4

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://codecanyon.net/item/woocommerce-customers-manager/10965432

Source: security@wordfence.com

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/193c9fe9-17bc-47e7-b93d-dfcebcf8004d?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.