WooCommerce Customers Manager <= 31.3 - Absence d'autorisation pour l'élévation de privilèges (Subscriber+) Authentifiés
Plateforme
wordpress
Composant
woocommerce-customers-manager
Corrigé dans
31.3.1
CVE-2024-13343 is a Privilege Escalation vulnerability discovered in the WooCommerce Customers Manager plugin for WordPress. This flaw allows authenticated attackers, even those with limited Subscriber-level access, to escalate their privileges to that of an administrator, granting them full control over the WordPress site. The vulnerability affects versions of the plugin up to and including 31.3. A patch is available, requiring users to update their plugin.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of this vulnerability is significant. An attacker who successfully exploits CVE-2024-13343 gains full administrative access to the WordPress site. This allows them to modify any content, install malicious plugins or themes, steal sensitive data (customer information, financial details), and potentially compromise the entire system. The attacker could also use the compromised site to launch further attacks against other systems on the network, expanding the blast radius. This vulnerability shares similarities with other privilege escalation flaws where insufficient access controls lead to unauthorized privilege elevation.
Contexte d'Exploitationtraduction en cours…
CVE-2024-13343 was publicly disclosed on 2025-02-01. The EPSS score is likely to be medium, given the relatively straightforward exploitation path and the potential for significant impact. Public proof-of-concept (PoC) code is anticipated to be released, increasing the risk of exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Qui Est à Risquetraduction en cours…
Websites using the WooCommerce Customers Manager plugin, particularly those running older versions (≤31.3), are at risk. Shared hosting environments where multiple WordPress sites share the same server are especially vulnerable, as a compromise on one site could potentially lead to lateral movement to others. Sites with weak password policies or that haven't implemented multi-factor authentication are also at increased risk.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r 'ajax_assign_new_roles()' /var/www/html/wp-content/plugins/woocommerce-customers-manager/• wordpress / composer / npm:
wp plugin list --status=inactive woocommerce-customers-manager• wordpress / composer / npm:
wp plugin update woocommerce-customers-manager --allChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.16% (percentile 37%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2024-13343 is to immediately update the WooCommerce Customers Manager plugin to a version that includes the fix. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily restricting access to the ajaxassignnew_roles() function through a WordPress filter or custom plugin. While not a complete solution, this can help reduce the attack surface. Monitor WordPress access logs for suspicious activity, particularly attempts to modify user roles. After upgrading, confirm the fix by attempting to assign an administrator role to a user with Subscriber privileges and verifying that the action is denied.
Comment corrigertraduction en cours…
Actualice el plugin WooCommerce Customers Manager a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. La actualización corregirá el problema de escalada de privilegios.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2024-13343 — Privilege Escalation in WooCommerce Customers Manager?
CVE-2024-13343 is a vulnerability in WooCommerce Customers Manager allowing authenticated users with Subscriber access to gain administrator privileges. It affects versions up to 31.3 and has a HIGH severity rating.
Am I affected by CVE-2024-13343 in WooCommerce Customers Manager?
If you are using WooCommerce Customers Manager version 31.3 or earlier, you are potentially affected. Check your plugin version and update immediately if necessary.
How do I fix CVE-2024-13343 in WooCommerce Customers Manager?
Update the WooCommerce Customers Manager plugin to the latest version. If an immediate upgrade is not possible, consider temporarily restricting access to the vulnerable function.
Is CVE-2024-13343 being actively exploited?
While active exploitation is not confirmed, the vulnerability is publicly known, and PoC code is anticipated, increasing the risk of exploitation.
Where can I find the official WooCommerce advisory for CVE-2024-13343?
Refer to the WooCommerce website and WordPress security announcements for official advisories and updates related to CVE-2024-13343.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.