Platform
wordpress
Component
woozone
Fixed in
14.0.11
14.1.00
CVE-2024-33549 describes a privilege escalation vulnerability within the WooCommerce Amazon Affiliates WordPress plugin. This flaw allows authenticated users with subscriber-level access or higher to elevate their privileges, potentially gaining unauthorized access to sensitive data or functionalities. The vulnerability impacts versions of the plugin prior to 14.1.00, and a patch has been released to address the issue.
An attacker exploiting this vulnerability could gain administrative privileges within the WordPress site, effectively taking control of the entire platform. This could lead to data breaches, website defacement, malware injection, and other malicious activities. The impact is particularly severe as subscriber-level users are often granted limited access, and this vulnerability bypasses those restrictions. The ability to escalate privileges allows for complete control over the WooCommerce Amazon Affiliates plugin configuration and potentially the entire WordPress installation, depending on the site's overall security posture.
CVE-2024-33549 was publicly disclosed on April 25, 2024. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the prevalence of WordPress sites make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests that they are likely to emerge.
Exploit Status
EPSS
0.46% (64% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-33549 is to immediately upgrade the WooCommerce Amazon Affiliates plugin to version 14.1.00 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider restricting subscriber-level user permissions to minimize the potential impact. Review user roles and privileges to ensure the principle of least privilege is enforced. Implement a WordPress security plugin with robust access control features. After upgrade, verify the plugin's functionality and user permissions to confirm the vulnerability has been successfully remediated.
Update to version 14.1.00, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-33549 is a privilege escalation vulnerability affecting the WooCommerce Amazon Affiliates WordPress plugin, allowing authenticated subscribers to gain higher privileges.
You are affected if you are using WooCommerce Amazon Affiliates version 14.1.00 or earlier. Upgrade to 14.1.00 to resolve the issue.
Upgrade the WooCommerce Amazon Affiliates plugin to version 14.1.00 or later. Review user roles and permissions for added security.
There is currently no confirmed active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the WooCommerce website and WordPress plugin repository for the latest security advisories and updates related to CVE-2024-33549.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.