CVE-2024-11725

Name of the Vulnerable Software and Affected Versions SMS Alert Order Notifications – WooCommerce plugin for WordPress versions up to, and including, 3.7.6

Description The issue concerns unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function. This allows authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site, potentially updating the default role for registration to administrator and enabling user registration for attackers to gain administrative user access. The exploitation requires the woocommerce-warranty plugin to be installed.

Recommendations For versions up to, and including, 3.7.6, consider disabling the updateWcWarrantySettings() function until a patch is available to prevent unauthorized modification of data. As a temporary workaround, restrict access to the woocommerce-warranty plugin to minimize the risk of exploitation. Avoid using the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.