CVE-2024-13558 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the NP Quote Request for WooCommerce plugin for WordPress. This plugin allows customers to request quotes for products, and the vulnerability arises because the plugin fails to properly validate a user-supplied key parameter when accessing quote request data. Due to this missing validation, an unauthenticated attacker can manipulate the key to directly access quote requests belonging to other users, leading to an Insecure Direct Object Reference (IDOR) scenario. The vulnerability affects all versions up to and including 1.9.179. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The primary impact is unauthorized disclosure of sensitive quote request information, which may include customer details and pricing information. The CVSS v3.1 base score is 7.5, indicating a high severity level due to the network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits are currently known, the vulnerability represents a significant risk to confidentiality for affected WooCommerce sites. No patches have been linked yet, so mitigation may require temporary workarounds or plugin deactivation until an update is available.

The primary impact of CVE-2024-13558 is the unauthorized disclosure of sensitive customer quote requests, which can include personal information and pricing details. This breach of confidentiality can lead to privacy violations, loss of customer trust, and potential regulatory compliance issues, especially under data protection laws like GDPR or CCPA. Since the vulnerability does not affect data integrity or availability, attackers cannot modify or disrupt services but can harvest sensitive data at scale. Organizations running WooCommerce with this vulnerable plugin risk exposure of business-sensitive pricing strategies and customer data, which could be leveraged for competitive intelligence or phishing attacks. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and exploitation attempts. This could lead to widespread data leakage across many e-commerce sites using the plugin globally.

1. Immediately audit all WooCommerce sites using the NP Quote Request plugin to identify affected versions (up to 1.9.179). 2. Disable or deactivate the NP Quote Request plugin until a security patch or update is released by the vendor. 3. Monitor official vendor channels and WordPress plugin repositories for security updates or patches addressing CVE-2024-13558. 4. Implement web application firewall (WAF) rules to block or restrict access to the vulnerable endpoints, especially requests containing suspicious or unexpected key parameters. 5. Conduct thorough access logging and monitoring to detect unusual access patterns to quote request data. 6. Educate site administrators on the risks of using outdated plugins and enforce strict plugin update policies. 7. If immediate patching is not possible, consider custom code fixes to validate user keys or restrict access to quote requests based on authenticated user sessions. 8. Review and strengthen overall WordPress site security, including limiting plugin usage to trusted and actively maintained components.