Privilege Escalation in WooCommerce Customers Manager Plugin for WordPress
CVE-2024-13343

8.8HIGH

Key Information:

Vendor: WordPress
Status: WooCommerce Customers Manager
Vendor: CVE Published:; 1 February 2025

Summary

The WooCommerce Customers Manager plugin for WordPress contains a vulnerability that allows authenticated users with Subscriber-level access and above to manipulate user roles improperly. Specifically, the ajax_assign_new_roles() function lacks a vital capability check, enabling an attacker to escalate their privileges to that of an administrator. This flaw potentially allows them to perform unauthorized actions within the site, posing significant risks to the security and integrity of WordPress installations.

Affected Version(s)

WooCommerce Customers Manager * <= 31.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/woocommerce-customers-manager...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 1, 2025