CVE-2024-12617 identifies a missing authorization vulnerability (CWE-862) in the WC Price History for Omnibus WordPress plugin developed by kkarpieszuk. This plugin, used to track and display historical pricing data in WooCommerce environments, fails to enforce capability checks on multiple AJAX endpoints. As a result, any authenticated user with Subscriber-level access or above can invoke these AJAX actions to both view and modify sensitive price history data. The vulnerability affects all versions up to and including 2.1.3. The lack of proper authorization checks means that attackers do not need elevated privileges beyond basic authenticated access, and no user interaction is required to exploit the flaw. The CVSS 3.1 base score is 5.4, indicating a medium severity with network attack vector, low attack complexity, and no user interaction. The impact primarily concerns confidentiality and integrity of pricing data, potentially allowing unauthorized data disclosure and tampering, which could undermine trust and business operations. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. The flaw is particularly critical in e-commerce contexts where price history integrity is essential for business analytics, customer trust, and compliance.

The vulnerability allows authenticated users with minimal privileges to access and manipulate price history data, compromising data confidentiality and integrity. This can lead to unauthorized disclosure of sensitive pricing trends and unauthorized modification of historical pricing records, potentially affecting business decisions, customer trust, and compliance with pricing regulations. While availability is not impacted, the integrity breach could facilitate fraudulent activities or competitive disadvantage. Organizations relying on this plugin for WooCommerce storefronts may face reputational damage and financial loss if attackers exploit this flaw. Since exploitation requires only Subscriber-level access, attackers could leverage compromised low-privilege accounts or social engineering to gain initial access and then escalate impact. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is public and could be targeted in the future.

1. Immediately update the WC Price History for Omnibus plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict access to the plugin’s AJAX endpoints by implementing custom capability checks or firewall rules at the web server or application level to block unauthorized AJAX requests. 3. Review and tighten user role assignments in WordPress, minimizing Subscriber-level accounts and ensuring only trusted users have authenticated access. 4. Monitor logs for unusual AJAX activity related to the plugin’s endpoints to detect potential exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the plugin. 6. Conduct regular security audits of WordPress plugins and user permissions to identify and remediate similar authorization issues proactively. 7. Educate administrators and users about the risks of low-privilege account compromise and enforce strong authentication mechanisms.