CVE-2024-13715 is a vulnerability identified in the zStore Manager Basic plugin for WordPress, specifically due to a missing authorization check (CWE-862) in the zstore_clear_cache() function. This function is responsible for clearing the plugin's cache, and the absence of a capability check means that any authenticated user with Subscriber-level access or higher can invoke it. This unauthorized cache clearing can disrupt normal plugin operations, potentially causing data inconsistency or loss of cached data integrity. The vulnerability affects all versions of the plugin up to and including version 3.311. The CVSS 3.1 base score is 4.3, indicating medium severity, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This means the attack can be launched remotely over the network with low attack complexity, requires low privileges (authenticated Subscriber or above), no user interaction, and impacts integrity but not confidentiality or availability. No public exploits have been reported yet, and no patches have been linked, suggesting that mitigation currently relies on access control or plugin updates when available. The vulnerability is significant because Subscriber-level users are typically considered low privilege, and unauthorized cache clearing could affect site performance or data consistency.

The primary impact of CVE-2024-13715 is on data integrity within the zStore Manager Basic plugin environment. Unauthorized cache clearing could lead to inconsistent or stale data being served, potentially disrupting e-commerce operations or user experience on affected WordPress sites. While the vulnerability does not expose confidential data or cause denial of service, the ability for low-privilege users to clear cache can undermine trust in the plugin's data handling and may facilitate further attacks if cache clearing is used as a vector to bypass other controls. Organizations relying on this plugin for online stores or inventory management may experience operational disruptions. Since the vulnerability requires authentication, the risk is limited to environments where untrusted users have Subscriber or higher access, which is common in multi-user WordPress sites. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits in the future.

To mitigate CVE-2024-13715, organizations should first verify the user roles and permissions assigned within their WordPress environment, ensuring that Subscriber-level users do not have unnecessary access to sensitive plugin functions. Until an official patch is released, administrators can implement custom capability checks or hooks to restrict access to the zstore_clear_cache() function only to trusted roles such as Administrator or Editor. Monitoring and logging cache clearing events can help detect unauthorized attempts. Additionally, limiting plugin usage to trusted users and minimizing the number of users with Subscriber or higher privileges reduces exposure. Keeping the WordPress core and all plugins updated is essential, and organizations should watch for vendor updates addressing this vulnerability. Employing a Web Application Firewall (WAF) with rules to detect and block suspicious plugin function calls may provide additional protection. Finally, conducting regular security audits of user permissions and plugin configurations will help prevent exploitation.