CVE-2024-12616

Vulnerability

The Bitly's WordPress Plugin (wp-bitly) for WordPress is missing proper capability checks on multiple AJAX actions, specifically wpbitly_oauth_get_token, wpbitly_oauth_disconnect, and potentially others. The code in class-wp-bitly-auth.php registers these actions for all authenticated users, but the only permission check present is for the disconnect function, which requires manage_options capability. Other AJAX callbacks lack any capability or nonce validation, allowing any authenticated user to invoke them. This affects all versions up to and including 2.7.3 [1].

Exploitation

An attacker needs only a valid WordPress account with Subscriber-level access (the lowest authenticated role). The attacker can send crafted AJAX requests to the vulnerable endpoints without needing to bypass nonce checks, as those are missing. For example, the get_token action likely allows retrieving the OAuth token or other sensitive plugin settings, and the disconnect action, while checked, still reveals unauthorized access to modify the plugin's authorization state. The attacker does not require any special privileges beyond being logged in [1].

Impact

Successful exploitation allows an authenticated attacker to retrieve and update plugin settings, including possibly the OAuth token used to connect to Bitly. This could lead to unauthorized URL shortening activity, disclosure of the token, or disruption of the plugin's functionality by altering settings. The attacker gains no direct shell access but achieves unauthorized modification of data with the scope of the plugin's configuration [1].

Mitigation

The vendor has not released a patched version as of the publication date (2025-01-09). The reference shows the vulnerability exists in trunk; no fixed version is indicated. Users should disable the plugin or restrict access to the affected AJAX actions until an update is provided. This CVE is not listed on the CISA KEV catalog [1].