CVE-2024-13652

Vulnerability

Description

The ECPay Ecommerce for WooCommerce plugin for WordPress, in all versions up to and including 1.1.2411060, contains a missing capability check vulnerability in the clear_ecpay_debug_log AJAX action [1]. This flaw means that the function responsible for clearing plugin log files does not verify that the requesting user has the necessary administrative privileges before executing the deletion [1].

Exploitation

Prerequisites

An attacker can exploit this vulnerability simply by being an authenticated WordPress user with Subscriber-level access or higher [1]. No other special permissions are needed, and the AJAX action is accessible without a nonce check or additional authorization [1]. The attacker can trigger the action remotely, provided they have a valid session token.

Impact

Successful exploitation allows an authenticated attacker to clear the plugin's debug log files without authorization [1]. While this does not result in data theft or privilege escalation, it can be used to cover an attacker's tracks or hinder forensic analysis of previous malicious activity. The loss of log data may impede incident response and troubleshooting.

Mitigation

The vendor has not yet released a patched version at the time of publication. Site administrators are advised to restrict access to the vulnerable endpoint by applying a web application firewall rule or, if possible, removing the clear_ecpay_debug_log action until an update is provided [1]. Regularly reviewing user roles and limiting Subscriber-level accounts can also reduce risk.