CVE-2024-53798

Vulnerability

Overview CVE-2024-53798 is a missing authorization vulnerability in the FloristPress plugin (bakkbone-florist-companion) for WordPress, affecting all versions up to and including 7.3.0. The issue stems from a nonce leakage that leads to broken access control, allowing attackers to bypass authorization checks. This vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS v3 base score of 5.4 (Medium).

Exploitation

Conditions An unauthenticated attacker can exploit this flaw by leveraging the leaked nonce to perform unauthorized actions. No special network access or authentication is required; the attack can be carried out remotely. According to Patchstack, this vulnerability is part of a mass-exploit campaign targeting thousands of WordPress sites regardless of their size or popularity. The attack vector involves deleting arbitrary content such as posts, pages, and media files.

Impact and

Mitigation Successful exploitation allows an attacker to delete content from the website, potentially causing significant data loss and disruption. The vendor has released version 7.4.0 to address this issue. Users are strongly advised to update their plugin immediately. If unable to update, it is recommended to seek assistance from a hosting provider or web developer. Patchstack users can enable auto-updates for vulnerable plugins. The vulnerability is considered low-severity by the vendor but is actively exploited in the wild [1].