The vulnerability identified as CVE-2024-13774 affects the WordPress plugin Wishlist for WooCommerce: Multi Wishlists Per Customer, versions up to and including 3.1.7. It is classified as a Cross-Site Request Forgery (CSRF) vulnerability (CWE-352) caused by missing or incorrect nonce validation in the 'save_to_multiple_wishlist' function. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and prevent CSRF attacks. The absence or improper implementation of nonce checks allows attackers to craft malicious requests that, when executed by an authenticated administrator (via clicking a malicious link), can alter plugin settings or inject malicious web scripts. This can compromise the integrity and confidentiality of the affected site. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), specifically targeting administrators. The scope is changed (S:C) because the vulnerability can affect resources beyond the vulnerable component. The CVSS score of 6.1 reflects a medium severity, emphasizing the potential for unauthorized changes and script injection without affecting availability. No patches or exploits are currently documented, but the vulnerability poses a risk to sites using this plugin, especially those with administrative users who might be tricked into clicking malicious links.

This vulnerability can lead to unauthorized modification of plugin settings and injection of malicious scripts, potentially compromising the confidentiality and integrity of the affected WordPress site. Attackers can leverage this to execute further attacks such as persistent cross-site scripting (XSS), privilege escalation, or data manipulation. While availability is not directly impacted, the injected scripts could be used to perform phishing or redirect users to malicious sites, damaging user trust and brand reputation. Organizations relying on this plugin for WooCommerce wishlists are at risk, especially if administrators are targeted via social engineering. The medium severity indicates a significant but not critical threat, with the main risk stemming from administrative user interaction. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

To mitigate this vulnerability, organizations should immediately update the Wishlist for WooCommerce: Multi Wishlists Per Customer plugin to a version that includes proper nonce validation once available. Until a patch is released, administrators should be trained to avoid clicking on suspicious links and emails that could trigger CSRF attacks. Implementing Web Application Firewalls (WAF) with rules to detect and block suspicious POST requests targeting the 'save_to_multiple_wishlist' function can reduce risk. Additionally, restricting administrative access to trusted networks and enforcing multi-factor authentication (MFA) for admin accounts can limit the impact of successful CSRF attempts. Regularly auditing plugin permissions and monitoring logs for unusual administrative actions can help detect exploitation attempts early. Developers should review and enforce nonce validation on all state-changing requests in the plugin codebase to prevent similar vulnerabilities.