CVE-2024-35663

Vulnerability

Overview CVE-2024-35663 is a missing authorization vulnerability in the WP Translate plugin for WordPress, affecting versions from n/a through 5.3.0. The issue stems from a broken access control mechanism, where certain functions lack proper authorization, authentication, or nonce token checks [1]. This allows an unprivileged user to execute actions that should require higher privileges.

Exploitation

An attacker with low-level access (e.g., a subscriber or contributor) can exploit this flaw by sending crafted requests to the vulnerable endpoints. No special network position is required beyond being an authenticated user of the WordPress site. The vulnerability is particularly dangerous because it can be chained in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation enables an attacker to perform unauthorized actions, such as modifying plugin settings or accessing restricted data, depending on the missing authorization context. The CVSS v3 base score is 5.4 (Medium), reflecting the potential for privilege escalation without authentication bypass [1].

Mitigation

The vendor has not released a patched version as of the publication date (June 11, 2024). Users are advised to update the plugin immediately if a fix becomes available. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended [1].