CVE-2024-0797 identifies a missing authorization vulnerability (CWE-862) in the Active Products Tables for WooCommerce plugin developed by realmag777. This WordPress plugin, designed to enhance WooCommerce stores by providing professional product tables, fails to enforce proper capability checks on multiple functions across all versions up to 1.0.6.1. As a result, users with subscriber-level privileges or higher can invoke administrative functions that should be restricted, leading to unauthorized actions within the plugin's scope. The vulnerability is exploitable remotely without user interaction, as it requires only authenticated access at the subscriber level or above. The CVSS 3.1 base score of 4.3 reflects that the attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and impacts integrity (I:L) but not confidentiality or availability. The flaw does not disclose sensitive data or cause denial of service but allows unauthorized modification of plugin behavior or data, potentially undermining the integrity of product listings or store operations. No patches or exploit code are currently publicly available, and no active exploitation has been reported. The vulnerability was published on February 5, 2024, and is tracked by Wordfence and CISA, indicating recognized risk within the WordPress security community.

The primary impact of this vulnerability is unauthorized modification of the WooCommerce product tables managed by the plugin, which can lead to integrity issues such as altered product information, pricing, or availability. Attackers with subscriber or higher privileges could manipulate product displays or configurations, potentially misleading customers or disrupting store operations. Although confidentiality and availability are not directly affected, the integrity compromise can damage business reputation, customer trust, and revenue. Since WooCommerce powers a significant portion of e-commerce websites globally, especially small to medium-sized businesses relying on WordPress, the vulnerability could have widespread implications if exploited. The requirement for authenticated access limits exposure to attackers who have already gained some level of access, but insider threats or compromised subscriber accounts could leverage this flaw. The absence of known exploits reduces immediate risk, but the vulnerability remains a concern for organizations prioritizing secure e-commerce environments.

To mitigate CVE-2024-0797, organizations should first verify the user roles and permissions assigned within their WordPress and WooCommerce environments, ensuring that subscriber accounts are tightly controlled and monitored. Immediate steps include restricting subscriber privileges where possible and auditing user accounts for suspicious activity. Since no official patch is currently available, administrators should consider disabling or removing the vulnerable plugin until an update is released. If removal is not feasible, applying custom code to enforce capability checks on the affected plugin functions can serve as a temporary workaround. Monitoring logs for unauthorized function calls related to the plugin can help detect exploitation attempts. Additionally, implementing multi-factor authentication (MFA) for all user accounts reduces the risk of account compromise. Regular backups and incident response plans should be maintained to recover from any unauthorized changes. Staying informed through vendor advisories and security communities for patch releases is critical for timely remediation.