CVE-2024-1862 in WooCommerce Add to Cart Custom Redirect Plugin
Summary
by MITRE • 03/13/2024
The WooCommerce Add to Cart Custom Redirect plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wcr_dismiss_admin_notice' function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with contributor access and above, to update the values of arbitrary site options to 'dismissed'.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-1862 affects the WooCommerce Add to Cart Custom Redirect plugin for WordPress, specifically targeting versions up to and including 1.2.13. This security flaw represents a critical authorization bypass issue that allows authenticated attackers with contributor-level privileges or higher to manipulate core WordPress site options. The vulnerability stems from a fundamental missing capability check within the plugin's codebase, specifically in the 'wcr_dismiss_admin_notice' function that handles administrative notice dismissal functionality. The absence of proper access control validation creates a pathway for malicious actors to exploit this weakness and gain unauthorized control over critical site configuration elements.
The technical implementation of this vulnerability resides in the plugin's handling of administrative notice dismissal mechanisms. When an authenticated user with contributor access or higher attempts to interact with the 'wcr_dismiss_admin_notice' function, the code fails to verify whether the requesting user possesses the appropriate administrative permissions required to modify site options. This missing capability check directly violates fundamental security principles and creates an attack surface that allows privilege escalation within the WordPress administration context. The vulnerability operates at the application layer and specifically targets WordPress's option management system, where the plugin incorrectly assumes all authenticated users have the authority to modify arbitrary site configuration values.
From an operational impact perspective, this vulnerability enables authenticated attackers to manipulate administrative notices and potentially compromise the integrity of the WordPress site configuration. Attackers can leverage this flaw to dismiss important security warnings, administrative notifications, or plugin-specific alerts that might otherwise indicate security concerns or system issues. The ability to modify arbitrary site options through this vector represents a significant threat to site integrity and security posture, as it allows for potential disruption of normal site operations, masking of security incidents, or manipulation of plugin behavior. This vulnerability particularly affects WordPress sites that rely on the WooCommerce Add to Cart Custom Redirect plugin and maintain multiple user roles with contributor-level access or higher.
The vulnerability aligns with CWE-863, which describes "Incorrect Authorization" - a weakness where the software does not correctly verify that the requesting entity is authorized to perform a given operation. This misconfiguration creates a direct pathway for unauthorized data modification and loss of data integrity. From an ATT&CK framework perspective, this vulnerability maps to T1078.004, "Valid Accounts: Cloud Accounts," as it exploits existing user accounts with sufficient privileges to perform unauthorized modifications. The attack requires minimal skill level and can be executed by authenticated users who are already part of the WordPress site's user base, making it particularly dangerous in environments where multiple users with varying access levels exist. Organizations should implement immediate mitigation measures including plugin updates to versions that address the capability check deficiency, role-based access reviews, and monitoring for unauthorized administrative notice modifications.
Mitigation strategies should prioritize immediate plugin updates to the latest available version that includes proper capability checks and authorization validation. Administrators should conduct comprehensive user access reviews to ensure that only trusted users maintain contributor-level or higher privileges within their WordPress installations. The implementation of additional monitoring mechanisms to track administrative notice dismissal activities can help detect potential exploitation attempts. Security hardening measures including the restriction of unnecessary administrative capabilities, regular security audits of installed plugins, and maintaining updated security frameworks will significantly reduce the risk exposure. Organizations should also consider implementing network-level monitoring to detect unusual administrative activities that might indicate exploitation attempts, as well as establishing automated patch management processes to ensure timely deployment of security updates across all WordPress installations.