CVE-2024-34768

The Fastly WordPress plugin (versions up to 1.2.25) suffers from a missing authorization vulnerability [1]. This broken access control issue means that the plugin fails to properly verify permissions or nonce tokens in certain functions, enabling unprivileged users to execute actions normally reserved for higher-privileged roles.

Attackers can exploit this vulnerability remotely without authentication [1]. The lack of proper capability checks allows an unauthenticated attacker to perform administrative actions, bypassing the intended access restrictions. This type of vulnerability is frequently targeted in mass-exploit campaigns against WordPress sites [1].

The impact is privilege escalation, where an attacker can gain unauthorized administrative control over the affected WordPress installation [1]. While the CVSS score is 5.3 (Medium), the practical risk is elevated due to the ease of exploitation and the plugin's widespread use.

Patchstack has assigned a low severity impact but recommends immediate action [1]. The vulnerability is fixed in version 1.2.26 of the Fastly plugin [1]. Users are advised to update immediately or enable auto-updates for vulnerable plugins. Site owners unable to update should consult their hosting provider or web developer for assistance [1].