CVE-2024-13724: 
WordPress vulnerability analysis and mitigation

The Wallet System for WooCommerce plugin for WordPress (versions < 2.6.3) was identified with a missing authorization vulnerability. The issue was discovered by security researcher Tim Coen and was publicly disclosed on March 3, 2025. This vulnerability affects the wallet functionality of the plugin, which includes features for wallet management, cashback, refunds, and partial payments (WPScan).

The vulnerability has been assigned a CVSS score of 4.3 (Medium) and is classified as an Incorrect Authorization issue, falling under the OWASP Top 10 category A5: Broken Access Control (CWE-863). The technical assessment indicates a missing authorization mechanism in the plugin's functionality (Wordfence).

The vulnerability allows unauthenticated attackers to perform unauthorized actions within the wallet system. Specifically, attackers can increase their own wallet balance, transfer balances between arbitrary users, and initiate transfer requests from other users' wallets (WPScan).

The vulnerability has been patched in version 2.6.3 of the Wallet System for WooCommerce plugin. Site administrators are strongly advised to update to this version or later to protect against unauthorized access and manipulation of wallet functionalities (WPScan).