CVE-2024-13724 is an improper authorization vulnerability (CWE-285) found in the Wallet System for WooCommerce plugin developed by wpswings. This plugin provides wallet, cashback, refund, partial payment, and wallet restriction functionalities for WooCommerce on WordPress. The vulnerability affects all versions up to and including 2.6.2. It allows unauthorized users, including unauthenticated attackers, to perform critical wallet operations without proper permission checks. Specifically, attackers can increase their own wallet balance arbitrarily, transfer balances between any users, and initiate transfer requests from other users' wallets. The root cause is the lack of adequate authorization enforcement on wallet-related functions, enabling attackers to bypass intended access controls. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting integrity (I:L) but not confidentiality or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability threatens the financial integrity of e-commerce platforms using this plugin, potentially leading to fraudulent wallet balance manipulations and unauthorized fund transfers.

The primary impact of CVE-2024-13724 is on the integrity of wallet balances within WooCommerce stores using the vulnerable plugin. Attackers can fraudulently increase their wallet funds, transfer funds between users without authorization, and initiate unauthorized transfer requests, leading to financial losses for merchants and customers. This undermines trust in the e-commerce platform and can result in chargebacks, reputational damage, and operational disruptions. While confidentiality and availability are not directly affected, the financial integrity breach can have cascading effects on business operations and customer confidence. Organizations relying on this plugin for wallet management face risks of internal fraud and external attacks, especially if attacker accounts with low privileges exist or if the site allows unauthenticated access to vulnerable functions. The lack of known exploits in the wild suggests limited current exploitation, but the ease of exploitation and significant financial impact make it a critical concern for affected sites.

1. Immediately restrict access to the Wallet System for WooCommerce plugin functionalities by limiting user roles and permissions to trusted administrators only. 2. Monitor wallet transactions and transfer logs for unusual activity such as unexpected balance increases or transfers between unrelated accounts. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting wallet operations. 4. Disable or remove the Wallet System for WooCommerce plugin if it is not essential to business operations until a security patch is released. 5. Regularly check for updates from the vendor (wpswings) and apply security patches promptly once available. 6. Conduct thorough security audits and penetration testing focused on authorization controls in the WooCommerce environment. 7. Educate site administrators about the risks of improper authorization and the importance of strict access controls. 8. Consider implementing multi-factor authentication (MFA) for administrative accounts to reduce the risk of account compromise. 9. Backup wallet data frequently to enable recovery in case of fraudulent transactions. 10. Review and harden WordPress and WooCommerce security configurations to minimize attack surface.