CVE-2024-13528 is an authentication bypass vulnerability identified in the Customer Email Verification for WooCommerce plugin for WordPress, affecting all versions up to and including 2.9.5. The root cause is a shortcode within the plugin that generates email verification confirmation links containing a placeholder email address rather than properly verifying the requesting user's identity. This flaw allows an authenticated attacker with Contributor-level privileges or higher to craft verification links for any unverified user account. By exploiting this, the attacker can bypass normal authentication mechanisms and log into the targeted user's account without knowing their password. The vulnerability requires that the plugin's 'Fine tune placement' feature be enabled, which influences how and where the shortcode operates within the site. The CVSS 3.1 base score is 7.5, with vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. No patches or exploit code are currently publicly available, and no active exploitation has been reported. However, the vulnerability poses a significant threat to the security of WooCommerce-based e-commerce sites that rely on this plugin for email verification and user authentication.

The vulnerability enables attackers with relatively low privileges (Contributor or higher) to escalate their access by impersonating any unverified user on the affected WooCommerce site. This can lead to unauthorized access to customer accounts, exposing sensitive personal and payment information, order histories, and potentially allowing fraudulent transactions. The compromise of user accounts undermines trust in the e-commerce platform and can result in financial losses, reputational damage, and regulatory compliance issues related to data protection laws such as GDPR. Additionally, attackers could leverage compromised accounts to further escalate privileges or distribute malicious content. The requirement for the 'Fine tune placement' option to be enabled limits the attack surface but does not eliminate the risk. Given WooCommerce's global popularity, the vulnerability could affect a large number of online stores worldwide, especially those that have not updated the plugin or implemented compensating controls.

1. Immediately update the Customer Email Verification for WooCommerce plugin to a patched version once available from the vendor. 2. If a patch is not yet available, disable the 'Fine tune placement' option in the plugin settings to prevent exploitation. 3. Restrict Contributor-level and higher privileges to trusted users only, minimizing the number of users who can exploit this vulnerability. 4. Implement additional monitoring and alerting for unusual account verification link generation or login activities. 5. Consider temporarily disabling the plugin if it is not critical to operations until a fix is applied. 6. Review and harden WordPress user role assignments and permissions to reduce the risk of privilege abuse. 7. Educate site administrators about the vulnerability and encourage regular plugin updates and security audits. 8. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious verification link requests if feasible.