CVE-2024-13511 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Variation Swatches for WooCommerce plugin, versions 1.0.8 through 1.3.2. The root cause is improper nonce verification in the plugin's settings reset mechanism. Specifically, the settings_init() function processes reset actions triggered by URL query parameters, and the delete_settings() function performs a flawed nonce validation check. Nonces are security tokens intended to ensure that requests are legitimate and initiated by authorized users. However, due to faulty nonce validation, an attacker can craft a malicious URL that, when visited by an authenticated WooCommerce administrator, triggers an unauthorized reset of the plugin's settings. This can lead to unintended configuration changes, potentially disrupting the user experience or e-commerce operations. The vulnerability does not allow direct data theft or denial of service but compromises the integrity of plugin settings. Exploitation requires the victim to interact with a malicious link (user interaction) but does not require prior authentication by the attacker. The CVSS v3.1 base score is 4.3, reflecting a medium severity level. No patches or fixes have been officially released at the time of publication, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-352, which covers CSRF issues.

The primary impact of this vulnerability is on the integrity of the affected WooCommerce plugin's configuration. Unauthorized resetting of settings can disrupt e-commerce site functionality, potentially causing incorrect product variation displays or loss of customized swatch configurations. This can degrade user experience, reduce customer trust, and indirectly impact sales and revenue. While the vulnerability does not expose sensitive data or cause denial of service, the unauthorized changes could require administrative effort to detect and remediate, increasing operational overhead. Attackers could leverage this vulnerability as part of a broader attack chain to weaken site controls or prepare for further exploitation. Given WooCommerce's widespread use globally, many online retailers using the affected plugin versions could be at risk. The requirement for user interaction limits mass exploitation but targeted phishing or social engineering campaigns could be effective. The absence of known exploits in the wild suggests limited current impact but does not preclude future exploitation once public details are widely known.

Organizations should immediately verify if they are running versions 1.0.8 through 1.3.2 of the Variation Swatches for WooCommerce plugin and plan to upgrade to a patched version once available. In the absence of an official patch, administrators can implement the following mitigations: 1) Disable or restrict access to the plugin's settings reset functionality to trusted administrators only, potentially by applying additional server-side access controls or IP restrictions. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests containing reset parameters or nonce bypass attempts. 3) Educate administrators to avoid clicking on untrusted links, especially those purporting to reset or change plugin settings. 4) Monitor logs for unusual reset actions or URL parameters indicative of exploitation attempts. 5) Consider implementing additional nonce verification or CSRF protection at the application level if feasible. 6) Regularly back up plugin configurations to enable quick restoration if unauthorized resets occur. These steps go beyond generic advice by focusing on access control, monitoring, and proactive detection tailored to this specific vulnerability.