CVE-2024-13343: 
WordPress vulnerability analysis and mitigation

The WooCommerce Customers Manager plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-13343) discovered in January 2025. The vulnerability affects all versions up to and including 31.3, due to a missing capability check on the ajaxassignnew_roles() function. This security flaw allows authenticated attackers with Subscriber-level access or higher to elevate their privileges to administrator level (NVD).

The vulnerability stems from improper privilege management in the ajaxassignnew_roles() function, which lacks proper authorization checks. The issue has been assigned a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating its severe nature. The vulnerability is classified under CWE-862 (Missing Authorization) and CWE-269 (Improper Privilege Management) (NVD, Wordfence Advisory).

The vulnerability allows authenticated users with minimal privileges (Subscriber level or above) to escalate their privileges to administrator level. This could potentially give attackers full control over the WordPress site, including access to sensitive customer data, order information, and complete administrative capabilities (NVD).

Site administrators should immediately update the WooCommerce Customers Manager plugin to version 31.4 or later, which contains the security fix. The vulnerability was patched in version 31.4, released in February 2025 (Plugin Page).