CVE-2024-12617
📋 TL;DR
The WC Price History for Omnibus WordPress plugin has missing capability checks on AJAX actions, allowing authenticated users with Subscriber-level access or higher to view and modify price history data. This affects all versions up to and including 2.1.3 of the plugin.
💻 Affected Systems
- WC Price History for Omnibus WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate historical pricing data, potentially affecting business decisions, inventory management, or creating false pricing trends that impact customer trust.
Likely Case
Unauthorized viewing of historical pricing data and minor modifications to price history records, potentially affecting reporting accuracy.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with only authorized users able to access price history functions.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WC Price History for Omnibus' and click 'Update Now'. 4. Verify the plugin version is 2.1.4 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the WC Price History plugin until patched
wp plugin deactivate wc-price-history
Restrict user roles
allLimit Subscriber and higher role accounts to trusted users only
🧯 If You Can't Patch
- Implement strict access controls and monitor all authenticated user activity
- Disable the plugin entirely and use alternative price tracking solutions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WC Price History versionCheck Version:
wp plugin get wc-price-history --field=versionVerify Fix Applied:
Verify plugin version is 2.1.4 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to price history endpoints from non-admin users
- Multiple failed authentication attempts followed by price history access
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with price history related actions
SIEM Query:
source="wordpress" AND (uri="/wp-admin/admin-ajax.php" AND action CONTAINS "price_history") AND user_role!="administrator"