CVE-2024-13694 is a vulnerability identified in the moreconvert WooCommerce Wishlist plugin for WordPress, specifically affecting all versions up to and including 1.8.7. The root cause is an Insecure Direct Object Reference (IDOR) vulnerability stemming from improper authorization (CWE-285) in the download_pdf_file() function. This function fails to validate a user-controlled key parameter, allowing unauthenticated attackers to access PDF files containing wishlist data belonging to other users. Because the vulnerability does not require any authentication or user interaction, it can be exploited remotely over the network with low complexity. The exposure primarily impacts confidentiality, as attackers can extract sensitive user wishlist information, potentially including personal preferences or other data stored in the wishlist. The vulnerability has been assigned a CVSS 3.1 base score of 7.5, indicating a high severity level. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. However, given the popularity of WooCommerce and WordPress in e-commerce, this vulnerability poses a significant risk to organizations relying on this plugin for wishlist functionality. Attackers could leverage this flaw to harvest user data, which could be used for further attacks such as phishing or profiling. The vulnerability highlights the importance of proper authorization checks on user-supplied input, especially in e-commerce plugins handling user data.

The primary impact of CVE-2024-13694 is the unauthorized disclosure of user wishlist data, compromising confidentiality. Organizations using the affected WooCommerce Wishlist plugin risk exposing sensitive customer preferences and potentially personally identifiable information (PII) stored within wishlists. This data leakage can erode customer trust, damage brand reputation, and potentially violate data protection regulations such as GDPR or CCPA, leading to legal and financial consequences. Since the vulnerability requires no authentication or user interaction, it can be exploited by remote attackers at scale, increasing the risk of mass data exposure. Although the vulnerability does not affect data integrity or availability, the confidentiality breach alone is significant for e-commerce businesses. Attackers could use the extracted data for targeted phishing campaigns, social engineering, or competitive intelligence. The lack of current known exploits reduces immediate risk but does not eliminate the threat, as proof-of-concept exploits could emerge rapidly. Organizations worldwide with WooCommerce-based e-commerce sites using this plugin are at risk, especially those with large user bases or handling sensitive customer data.

Until an official patch is released, organizations should implement several specific mitigations. First, restrict access to the download_pdf_file() function by applying web application firewall (WAF) rules that block suspicious requests containing user-controlled keys or unexpected parameters targeting this endpoint. Second, review and harden access control policies on the server and plugin level to ensure only authenticated and authorized users can access wishlist data. Third, monitor web server logs for unusual or repeated access attempts to the wishlist PDF download functionality, enabling early detection of exploitation attempts. Fourth, consider temporarily disabling the wishlist PDF download feature or the entire plugin if feasible, especially on high-risk or sensitive sites. Fifth, communicate with the plugin vendor or monitor official channels for patches and apply updates promptly once available. Finally, conduct a security audit of other plugins and custom code to ensure similar authorization checks are properly implemented to prevent IDOR vulnerabilities.