CVE-2024-13343 is a vulnerability classified under CWE-269 (Improper Privilege Management) found in the Vanquish WooCommerce Customers Manager plugin for WordPress. The root cause is the absence of a proper capability check in the ajax_assign_new_roles() function, which is responsible for assigning new user roles via AJAX requests. Because this function does not verify whether the requesting user has sufficient privileges, any authenticated user with at least Subscriber-level access can invoke this function to assign themselves administrator privileges. This effectively allows privilege escalation from a low-privilege user to a site administrator, granting full control over the WordPress site. The vulnerability affects all plugin versions up to and including 31.3. The CVSS v3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, privileges required but no user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits are publicly reported, the vulnerability's nature and ease of exploitation make it a critical risk for affected sites. The plugin is widely used in WooCommerce-based e-commerce sites, which often handle sensitive customer and transactional data, increasing the stakes of a successful attack.

The impact of CVE-2024-13343 is severe for organizations running WordPress sites with the vulnerable WooCommerce Customers Manager plugin. Successful exploitation allows attackers to gain administrator privileges, enabling them to fully control the website, including installing malicious plugins, modifying or deleting content, stealing sensitive customer data, and potentially pivoting to other parts of the network. This can lead to data breaches, financial loss, reputational damage, and disruption of business operations. E-commerce sites are particularly at risk due to the sensitive nature of customer and payment information. The vulnerability's network accessibility and lack of required user interaction increase the likelihood of exploitation. Organizations worldwide that rely on WooCommerce for online sales and customer management are at risk, especially those that have not implemented strict access controls or monitoring for privilege changes.

To mitigate CVE-2024-13343, organizations should immediately update the WooCommerce Customers Manager plugin to a patched version once available from Vanquish. Until a patch is released, administrators should consider disabling or restricting access to the ajax_assign_new_roles() function by implementing custom access controls or firewall rules that block unauthorized AJAX requests targeting this function. Additionally, review and tighten user role assignments and permissions, ensuring that only trusted users have Subscriber-level or higher access. Implement monitoring and alerting for unexpected role changes or administrative account creations. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious privilege escalation attempts. Regularly audit user accounts and roles for anomalies. Finally, maintain regular backups and have an incident response plan ready to quickly recover from potential compromises.