CVE-2024-13343 — Improper Privilege Management in Woocommerce Customers Manager

CWE-269 — Improper Privilege Management CWE-862 — Missing Authorization3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 63.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vanquish Woocommerce Customers Manager

Timeline

PublishedFeb 1

Description

The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDvanquish/woocommerce_customers_manager< 31.4

▶CVEListV5vanquish/woocommerce_customers_manager31.3

🔴Vulnerability Details

GHSA

GHSA-w84c-wxw3-fr2x: The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_↗2025-02-01

▶

CVEList

WooCommerce Customers Manager <= 31.3 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation↗2025-02-01

▶