CVE-2024-13528
📋 TL;DR
The Customer Email Verification for WooCommerce WordPress plugin has an authentication bypass vulnerability that allows authenticated attackers with Contributor-level access or higher to generate verification links for any unverified user account and log into that account. This affects all versions up to 2.9.5 when the 'Fine tune placement' option is enabled in plugin settings.
💻 Affected Systems
- Customer Email Verification for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to WordPress sites, potentially compromising customer data, payment information, and allowing complete site takeover.
Likely Case
Attackers gain access to customer accounts to steal personal information, make fraudulent purchases, or access order history.
If Mitigated
Limited impact if strong access controls, monitoring, and regular patching are in place.
🎯 Exploit Status
Requires authenticated access (Contributor role or higher) and specific plugin configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3238136/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'Customer Email Verification for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.9.6+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Fine Tune Placement
allDisable the vulnerable plugin setting that enables exploitation
Remove Contributor Access
allTemporarily restrict Contributor-level user access until patching
🧯 If You Can't Patch
- Disable the Customer Email Verification for WooCommerce plugin entirely
- Implement strict user role management and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Customer Email Verification for WooCommerce version. If version is 2.9.5 or earlier and 'Fine tune placement' is enabled, you are vulnerable.Check Version:
wp plugin list --name='Customer Email Verification for WooCommerce' --field=versionVerify Fix Applied:
Verify plugin version is 2.9.6 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns from Contributor-level users
- Multiple account verification requests from single IP
- User account logins from unexpected locations
Network Indicators:
- HTTP POST requests to verification endpoints with manipulated parameters
SIEM Query:
source="wordpress" AND (event="user_login" OR event="account_verification") AND user_role="contributor" AND count>5