The vulnerability identified as CVE-2024-13652 affects the ECPay Ecommerce for WooCommerce plugin, a WordPress extension facilitating payment processing via ECPay. The issue stems from a missing capability check on the 'clear_ecpay_debug_log' AJAX action, which is intended to allow authorized users to clear debug logs. However, the lack of proper authorization verification means that any authenticated user with at least Subscriber-level privileges can invoke this action and erase the plugin's log files. These logs typically contain debugging and transaction-related information that could be critical for troubleshooting or forensic investigations. The vulnerability does not allow unauthorized data access or modification beyond log deletion, and it does not impact confidentiality or availability directly. The CVSS v3.1 score is 4.3 (medium), reflecting the limited impact and the requirement for authenticated access. The vulnerability affects all versions of the plugin up to 1.1.2411060. No patches or fixes have been linked yet, and no known exploits are reported in the wild. This vulnerability is classified under CWE-862 (Missing Authorization), indicating a failure to enforce proper access control on sensitive operations.

The primary impact of this vulnerability is the potential loss of critical debug log data, which can hinder incident response and forensic analysis. Attackers with low-level authenticated access (Subscriber or higher) can erase logs, potentially covering their tracks after performing malicious activities such as privilege escalation attempts or other unauthorized actions within the WordPress environment. While this does not directly compromise customer data or site availability, it reduces the ability of administrators to detect and respond to attacks effectively. Organizations relying on ECPay Ecommerce for WooCommerce for payment processing may face increased risk of undetected malicious activity, which could indirectly lead to larger security incidents. The impact is more pronounced in environments where multiple users have Subscriber or higher roles, especially if role assignments are not tightly controlled. Since WooCommerce is widely used globally, and ECPay is a popular payment gateway in certain Asian markets, the risk is geographically concentrated but relevant worldwide wherever this plugin is deployed.

1. Restrict user roles: Limit Subscriber-level and higher access strictly to trusted users. Review and minimize the number of users with authenticated access to the WordPress backend. 2. Monitor logs externally: Implement external logging and monitoring solutions that capture plugin activity logs outside the WordPress environment to prevent tampering. 3. Plugin updates: Regularly check for updates from the ECPay plugin vendor and apply patches promptly once available. 4. Custom authorization: If possible, implement custom code or use security plugins to enforce capability checks on the 'clear_ecpay_debug_log' AJAX action until an official patch is released. 5. Audit user activity: Enable and review WordPress audit logs to detect suspicious activities, especially log clearing attempts. 6. Harden WordPress security: Employ multi-factor authentication, strong password policies, and least privilege principles to reduce the risk of unauthorized authenticated access. 7. Backup logs: Regularly back up plugin logs and WordPress data to enable recovery in case of log deletion.