CVE-2024-13747 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WooMail - WooCommerce Email Customizer plugin for WordPress, affecting all versions up to and including 3.0.34. The issue arises because the 'template_delete_saved' function lacks proper capability checks, allowing authenticated users with as low as Subscriber-level privileges to inject SQL code into an existing post deletion query. This vulnerability enables attackers to manipulate database queries without proper authorization, potentially modifying or corrupting data. The vulnerability is exploitable remotely over the network without user interaction, requiring only authenticated access. The CVSS v3.1 score is 4.3 (medium), reflecting that while the attack vector is network-based and requires low privileges, the impact is limited to integrity loss without affecting confidentiality or availability. No patches or known exploits are currently reported, but the risk remains significant due to the widespread use of WooCommerce and the plugin in e-commerce environments. The vulnerability could be leveraged to alter or delete data improperly, undermining trust in transactional or email customization data within affected WordPress sites.

The primary impact of CVE-2024-13747 is unauthorized modification of data integrity within WordPress sites using the WooMail plugin. Attackers with minimal privileges (Subscriber-level) can inject SQL commands to alter or delete data related to email templates or posts, potentially disrupting business communications or corrupting stored information. Although confidentiality and availability are not directly affected, the integrity compromise can lead to misinformation, operational disruptions, or further exploitation if combined with other vulnerabilities. For e-commerce sites relying on WooCommerce and WooMail, this could result in incorrect order notifications, loss of customer trust, or compliance issues. The medium severity reflects the limited scope of exploitation but acknowledges the risk posed by the ease of access and potential for data manipulation. Organizations worldwide with active WooCommerce deployments are at risk, especially those with large subscriber bases or less restrictive user role management.

1. Immediately restrict access to the WooMail plugin functions by limiting Subscriber-level user capabilities or upgrading user role permissions to prevent unauthorized access. 2. Monitor database logs and WordPress activity logs for unusual deletion or modification queries related to email templates or posts. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'template_delete_saved' function. 4. Regularly audit user roles and permissions within WordPress to ensure minimal privilege principles are enforced. 5. If possible, disable or remove the WooMail plugin until a security patch or update is released by the vendor. 6. Stay updated with vendor announcements and apply patches promptly once available. 7. Employ database-level protections such as prepared statements or parameterized queries if custom modifications are made to the plugin. 8. Conduct penetration testing focusing on authenticated user privilege escalation and SQL injection vectors to identify residual risks.