CVE-2024-34804

Vulnerability

Overview The Tagembed WordPress plugin contains a missing authorization vulnerability affecting versions from n/a through 5.8 [1]. This flaw is classified as a broken access control issue, where the plugin fails to properly verify user permissions or nonce tokens in certain functions, allowing unauthenticated users to execute actions normally reserved for higher-privileged roles [1].

Exploitation

Scenario An attacker can exploit this vulnerability remotely without requiring any authentication or prior access, as the missing authorization check exists in publicly accessible functions [1]. This type of flaw is frequently targeted in mass-exploit campaigns that scan for vulnerable plugins across thousands of websites regardless of their popularity or traffic levels [1]. The low complexity and network-based attack vector increase the risk of widespread exploitation.

Impact

Successful exploitation allows an unprivileged or completely unauthenticated attacker to perform higher-privileged actions within the plugin, potentially including unauthorized configuration changes or access to sensitive data [1]. The CVSS v3 base score of 5.4 (Medium) reflects the limited but significant impact on confidentiality and integrity, though no impact on availability is noted [1].

Mitigation

The vulnerability has been patched in version 5.9 of the Tagembed plugin [1]. Users are strongly advised to update immediately; Patchstack users can enable auto-updates for vulnerable plugins. For those unable to update, contacting a hosting provider or web developer for assistance is recommended [1]. This issue is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.