CVE-2024-27970

Vulnerability

Description

The WP SendFox plugin for WordPress suffers from a missing authorization vulnerability (broken access control) in versions up to 1.3.0. The plugin fails to properly verify that a user has the necessary privileges before executing certain functions, which exposes sensitive operations to unauthenticated or low-privileged attackers [1].

Exploitation

An attacker can exploit this flaw by sending specially crafted HTTP requests to the vulnerable endpoints. No authentication is required in some cases, or a low-privileged account (e.g., subscriber) is sufficient. The attack can be performed remotely without any special network access, making it easy to automate and scale. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users, such as modifying plugin settings or manipulating the SendFox integration. The CVSS v3 score is 5.4 (Medium), reflecting the potential for unauthorized access but not complete system compromise. The impact is primarily on the integrity and confidentiality of the plugin's data [1].

Mitigation

The vendor has released version 1.3.1 which corrects the authorization issue. Users are strongly advised to update to this version or later immediately. For those unable to update, Patchstack offers a virtual patching rule to block attacks. Given the active exploitation in the wild, prompt remediation is recommended [1].