CVE-2024-34821

Vulnerability

Overview CVE-2024-34821 is a missing authorization vulnerability in the Contact List plugin for WordPress, affecting versions from n/a through 2.9.87 [1]. The issue stems from broken access control, meaning the plugin fails to properly check for authentication or authorization before executing certain functions, allowing an unauthenticated user to trigger higher-privileged actions [1][2].

Exploitation

Attackers can exploit this vulnerability remotely without needing any prior authentication or special network access. The missing authorization checks mean that any visitor to the website can invoke vulnerable endpoints or functionality that should be restricted to administrators [1][2]. This type of flaw is often targeted in mass-exploit campaigns, where attackers scan for vulnerable installations [1].

Impact

Successful exploitation allows an unprivileged attacker to perform actions that should require administrative privileges, such as modifying plugin settings or accessing contact list data. The CVSS score of 5.3 indicates moderate severity, as the attack complexity is low and no authentication is required [1][2].

Mitigation

The vulnerability is fixed in version 2.9.88 of the Contact List plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack has released a mitigation rule that can block attacks until the patch is applied [1][2].