CVE-2024-13775: CWE-862 Missing Authorization in vanquish WooCommerce Support Ticket System
CVE-2024-13775 is a medium-severity vulnerability in the WooCommerce Support Ticket System WordPress plugin caused by missing authorization checks on key AJAX functions. Authenticated users with Subscriber-level access or higher can exploit this flaw to delete arbitrary posts and access sensitive user information such as names, emails, and capabilities. The vulnerability affects all versions up to 17. 8 and does not require user interaction. Although no known exploits are currently reported in the wild, the ease of exploitation and the exposure of user data pose significant risks. This vulnerability impacts confidentiality and integrity but not availability. Organizations using this plugin should prioritize patching or applying mitigations to prevent unauthorized data access and content manipulation. Countries with large WordPress and WooCommerce user bases, especially those with significant e-commerce activity, are at higher risk.
AI Analysis
Technical Summary
CVE-2024-13775 is a vulnerability identified in the WooCommerce Support Ticket System plugin for WordPress, affecting all versions up to and including 17.8. The root cause is missing authorization (CWE-862) in three AJAX handler functions: 'ajax_delete_message', 'ajax_get_customers_partial_list', and 'ajax_get_admins_list'. These functions lack proper capability checks, allowing authenticated users with minimal privileges (Subscriber-level and above) to perform unauthorized actions. Specifically, attackers can delete arbitrary posts, which compromises data integrity, and retrieve sensitive user information such as names, email addresses, and user capabilities, impacting confidentiality. The vulnerability is remotely exploitable over the network without user interaction and requires only low privileges, making it relatively easy to exploit. The CVSS v3.1 base score is 5.4 (medium), reflecting the moderate impact on confidentiality and integrity but no impact on availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. However, the vulnerability poses a significant risk to websites using this plugin, especially those handling sensitive customer data or relying on the integrity of support ticket content.
Potential Impact
The vulnerability allows attackers with minimal authenticated access to delete arbitrary posts, potentially removing critical support tickets or other content, thereby disrupting business operations and customer support workflows. Additionally, unauthorized access to user names, emails, and capabilities can lead to privacy violations, targeted phishing attacks, or privilege escalation attempts. Organizations relying on WooCommerce Support Ticket System risk data leakage and content tampering, which can erode customer trust and lead to regulatory compliance issues, especially under data protection laws like GDPR. The absence of availability impact limits the scope to confidentiality and integrity, but the ease of exploitation and the broad access to user data make this a significant concern for e-commerce sites and service providers using this plugin.
Mitigation Recommendations
Until an official patch is released, organizations should implement the following mitigations: 1) Restrict plugin access by limiting Subscriber-level user capabilities or disabling the plugin if not essential. 2) Employ web application firewalls (WAFs) with custom rules to block unauthorized AJAX requests targeting the vulnerable functions. 3) Monitor logs for unusual activity related to AJAX endpoints 'ajax_delete_message', 'ajax_get_customers_partial_list', and 'ajax_get_admins_list'. 4) Enforce strict user role management to minimize the number of users with Subscriber or higher privileges. 5) Consider temporarily replacing the plugin with alternative support ticket systems that have verified security. 6) Regularly back up website data to recover from potential unauthorized deletions. 7) Stay alert for vendor updates or patches and apply them promptly once available.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, France, Netherlands, India, Brazil, Japan
CVE-2024-13775: CWE-862 Missing Authorization in vanquish WooCommerce Support Ticket System
Description
CVE-2024-13775 is a medium-severity vulnerability in the WooCommerce Support Ticket System WordPress plugin caused by missing authorization checks on key AJAX functions. Authenticated users with Subscriber-level access or higher can exploit this flaw to delete arbitrary posts and access sensitive user information such as names, emails, and capabilities. The vulnerability affects all versions up to 17. 8 and does not require user interaction. Although no known exploits are currently reported in the wild, the ease of exploitation and the exposure of user data pose significant risks. This vulnerability impacts confidentiality and integrity but not availability. Organizations using this plugin should prioritize patching or applying mitigations to prevent unauthorized data access and content manipulation. Countries with large WordPress and WooCommerce user bases, especially those with significant e-commerce activity, are at higher risk.
AI-Powered Analysis
Technical Analysis
CVE-2024-13775 is a vulnerability identified in the WooCommerce Support Ticket System plugin for WordPress, affecting all versions up to and including 17.8. The root cause is missing authorization (CWE-862) in three AJAX handler functions: 'ajax_delete_message', 'ajax_get_customers_partial_list', and 'ajax_get_admins_list'. These functions lack proper capability checks, allowing authenticated users with minimal privileges (Subscriber-level and above) to perform unauthorized actions. Specifically, attackers can delete arbitrary posts, which compromises data integrity, and retrieve sensitive user information such as names, email addresses, and user capabilities, impacting confidentiality. The vulnerability is remotely exploitable over the network without user interaction and requires only low privileges, making it relatively easy to exploit. The CVSS v3.1 base score is 5.4 (medium), reflecting the moderate impact on confidentiality and integrity but no impact on availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. However, the vulnerability poses a significant risk to websites using this plugin, especially those handling sensitive customer data or relying on the integrity of support ticket content.
Potential Impact
The vulnerability allows attackers with minimal authenticated access to delete arbitrary posts, potentially removing critical support tickets or other content, thereby disrupting business operations and customer support workflows. Additionally, unauthorized access to user names, emails, and capabilities can lead to privacy violations, targeted phishing attacks, or privilege escalation attempts. Organizations relying on WooCommerce Support Ticket System risk data leakage and content tampering, which can erode customer trust and lead to regulatory compliance issues, especially under data protection laws like GDPR. The absence of availability impact limits the scope to confidentiality and integrity, but the ease of exploitation and the broad access to user data make this a significant concern for e-commerce sites and service providers using this plugin.
Mitigation Recommendations
Until an official patch is released, organizations should implement the following mitigations: 1) Restrict plugin access by limiting Subscriber-level user capabilities or disabling the plugin if not essential. 2) Employ web application firewalls (WAFs) with custom rules to block unauthorized AJAX requests targeting the vulnerable functions. 3) Monitor logs for unusual activity related to AJAX endpoints 'ajax_delete_message', 'ajax_get_customers_partial_list', and 'ajax_get_admins_list'. 4) Enforce strict user role management to minimize the number of users with Subscriber or higher privileges. 5) Consider temporarily replacing the plugin with alternative support ticket systems that have verified security. 6) Regularly back up website data to recover from potential unauthorized deletions. 7) Stay alert for vendor updates or patches and apply them promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-28T18:24:28.641Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e6db7ef31ef0b5a0730
Added to database: 2/25/2026, 9:49:33 PM
Last enriched: 2/25/2026, 10:01:03 PM
Last updated: 2/25/2026, 10:53:09 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27577: CWE-94: Improper Control of Generation of Code ('Code Injection') in n8n-io n8n
CriticalCVE-2026-27497: CWE-94: Improper Control of Generation of Code ('Code Injection') in n8n-io n8n
CriticalCVE-2026-27495: CWE-94: Improper Control of Generation of Code ('Code Injection') in n8n-io n8n
CriticalCVE-2026-27494: CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere in n8n-io n8n
HighCVE-2026-27493: CWE-94: Improper Control of Generation of Code ('Code Injection') in n8n-io n8n
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.