The vulnerability identified as CVE-2024-5768 affects the MIMO Woocommerce Order Tracking plugin for WordPress, specifically versions up to and including 1.0.2. The root cause is a missing authorization (capability) check in the 'mimo_update_provider' function, which is responsible for updating shipping provider information. Due to this missing check, any authenticated user with at least Subscriber-level privileges can invoke this function to modify shipping provider data without proper permissions. This unauthorized access allows attackers to alter shipping information and inject stored cross-site scripting (XSS) payloads, which can execute malicious scripts in the context of other users viewing the affected data. The vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS v3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity, requiring privileges (authenticated user), no user interaction, and a scope change due to the potential impact on other users. The confidentiality and integrity of the data are impacted, while availability remains unaffected. No patches or known exploits have been reported at the time of disclosure. This vulnerability is significant because WordPress and WooCommerce are widely used platforms, and plugins often extend their functionality, making them attractive targets for attackers seeking to escalate privileges or inject malicious content.

The vulnerability allows authenticated users with minimal privileges (Subscriber-level) to modify shipping provider information, which can lead to unauthorized data manipulation and stored XSS attacks. This can compromise the confidentiality of user data by executing malicious scripts in the browsers of administrators or other users viewing the shipping information, potentially leading to session hijacking, credential theft, or further exploitation within the WordPress environment. The integrity of order tracking data is compromised, which could disrupt business operations or customer trust. Although availability is not directly impacted, the indirect effects of injected scripts could degrade user experience or lead to further compromise. Organizations relying on this plugin for e-commerce order tracking risk reputational damage, customer data exposure, and potential regulatory consequences if exploited. The medium CVSS score reflects the balance between the ease of exploitation (authenticated users only) and the significant impact on data integrity and confidentiality.

To mitigate this vulnerability, organizations should immediately review and restrict user roles and permissions, ensuring that only trusted users have Subscriber-level or higher access. Implement strict capability checks in the plugin code, particularly adding authorization verification in the 'mimo_update_provider' function to confirm that only users with appropriate administrative privileges can update shipping provider information. Monitor and audit plugin updates from the vendor and apply patches as soon as they become available. In the interim, consider disabling or removing the MIMO Woocommerce Order Tracking plugin if it is not essential. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious POST requests targeting the vulnerable function. Additionally, conduct regular security assessments and code reviews of third-party plugins to identify and remediate missing authorization issues proactively. Educate site administrators about the risks of granting excessive privileges to users and enforce the principle of least privilege.