Platform
wordpress
Component
woocommerce-customers-manager
Fixed in
31.3.1
CVE-2024-13343 is a Privilege Escalation vulnerability discovered in the WooCommerce Customers Manager plugin for WordPress. This flaw allows authenticated attackers, even those with limited Subscriber-level access, to escalate their privileges to that of an administrator, granting them full control over the WordPress site. The vulnerability affects versions of the plugin up to and including 31.3. A patch is available, requiring users to update their plugin.
The impact of this vulnerability is significant. An attacker who successfully exploits CVE-2024-13343 gains full administrative access to the WordPress site. This allows them to modify any content, install malicious plugins or themes, steal sensitive data (customer information, financial details), and potentially compromise the entire system. The attacker could also use the compromised site to launch further attacks against other systems on the network, expanding the blast radius. This vulnerability shares similarities with other privilege escalation flaws where insufficient access controls lead to unauthorized privilege elevation.
CVE-2024-13343 was publicly disclosed on 2025-02-01. The EPSS score is likely to be medium, given the relatively straightforward exploitation path and the potential for significant impact. Public proof-of-concept (PoC) code is anticipated to be released, increasing the risk of exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13343 is to immediately update the WooCommerce Customers Manager plugin to a version that includes the fix. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily restricting access to the ajaxassignnew_roles() function through a WordPress filter or custom plugin. While not a complete solution, this can help reduce the attack surface. Monitor WordPress access logs for suspicious activity, particularly attempts to modify user roles. After upgrading, confirm the fix by attempting to assign an administrator role to a user with Subscriber privileges and verifying that the action is denied.
Actualice el plugin WooCommerce Customers Manager a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. La actualización corregirá el problema de escalada de privilegios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13343 is a vulnerability in WooCommerce Customers Manager allowing authenticated users with Subscriber access to gain administrator privileges. It affects versions up to 31.3 and has a HIGH severity rating.
If you are using WooCommerce Customers Manager version 31.3 or earlier, you are potentially affected. Check your plugin version and update immediately if necessary.
Update the WooCommerce Customers Manager plugin to the latest version. If an immediate upgrade is not possible, consider temporarily restricting access to the vulnerable function.
While active exploitation is not confirmed, the vulnerability is publicly known, and PoC code is anticipated, increasing the risk of exploitation.
Refer to the WooCommerce website and WordPress security announcements for official advisories and updates related to CVE-2024-13343.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.