CVE-2024-11725 is a vulnerability classified under CWE-862 (Missing Authorization) found in the SMS Alert Order Notifications – WooCommerce plugin for WordPress, specifically in the updateWcWarrantySettings() function. This function lacks proper capability checks, allowing any authenticated user with subscriber-level access or higher to update arbitrary WordPress options. The vulnerability is exploitable only if the woocommerce-warranty plugin is installed, as it targets warranty-related settings. Attackers can exploit this flaw to escalate privileges by modifying the default user role to administrator and enabling user registration, thereby creating new admin accounts without legitimate authorization. The vulnerability affects all versions up to and including 3.7.6. The CVSS 3.1 base score is 8.8, reflecting network attack vector, low attack complexity, privileges required at a low level, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are known, the ease of exploitation and potential for complete site compromise make this a critical threat for affected WordPress sites. The vulnerability was publicly disclosed in January 2025, with no official patch links available at the time of reporting.

The impact of CVE-2024-11725 is severe for organizations using the vulnerable plugin alongside the woocommerce-warranty plugin. Exploitation allows attackers with minimal privileges to gain full administrative control over the WordPress site, compromising confidentiality by accessing sensitive data, integrity by modifying site configurations and content, and availability by potentially disrupting site operations. This can lead to unauthorized data access, defacement, installation of backdoors or malware, and complete site takeover. E-commerce sites relying on WooCommerce are particularly at risk, as attackers could manipulate order notifications, warranty settings, and user roles, undermining customer trust and business operations. The vulnerability's network accessibility and lack of user interaction requirements increase the likelihood of exploitation, especially on sites with subscriber or higher-level users. Organizations may face reputational damage, financial loss, and regulatory consequences if exploited.

To mitigate CVE-2024-11725, organizations should immediately verify if the SMS Alert Order Notifications – WooCommerce plugin and the woocommerce-warranty plugin are installed and active. If so, restrict subscriber-level user capabilities temporarily to prevent exploitation. Monitor and audit user roles and registrations for suspicious changes. Disable user registration if not required. Implement a Web Application Firewall (WAF) with custom rules to block unauthorized attempts to invoke updateWcWarrantySettings() or modify options. Regularly back up the WordPress site and database to enable recovery. Follow vendor advisories for patches or updates; if no patch is available, consider removing or replacing the vulnerable plugin. Employ the principle of least privilege by limiting user roles and capabilities. Conduct thorough security assessments and penetration testing focusing on plugin vulnerabilities. Finally, keep WordPress core, themes, and plugins updated to minimize exposure to similar vulnerabilities.