CVE-2024-0324 is a high-severity vulnerability (CVSS 8.2) affecting the WordPress plugin 'User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor' developed by reflectionmedia. The vulnerability arises from improper access control (CWE-284) due to a missing capability check in the function 'wppb_two_factor_authentication_settings_update' across all plugin versions up to and including 3.10.8. This flaw allows unauthenticated attackers to modify the two-factor authentication (2FA) settings for arbitrary user roles in the Premium version of the plugin. Specifically, attackers can enable or disable 2FA without any authentication or user interaction, which compromises the integrity of the security controls protecting user accounts. Since 2FA is a critical defense mechanism against account takeover, unauthorized modification of these settings can weaken the security posture of affected WordPress sites. The vulnerability does not directly impact confidentiality but has a high impact on integrity by allowing attackers to alter security configurations. Availability impact is low. No known exploits are currently reported in the wild, but the ease of exploitation (network accessible, no authentication required) and the widespread use of WordPress and this plugin make this a significant threat. The vulnerability is classified under CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization). No official patch links are provided yet, indicating that site administrators must monitor for updates or apply manual mitigations.

For European organizations using WordPress sites with the User Profile Builder plugin, this vulnerability poses a significant risk. Attackers can disable 2FA protections, increasing the likelihood of account compromise, privilege escalation, and subsequent unauthorized access to sensitive data or administrative functions. This can lead to data breaches, defacement, or use of compromised sites as launchpads for further attacks. Organizations in sectors with strict data protection regulations (e.g., GDPR) face compliance risks and potential fines if breaches occur due to this vulnerability. The impact is particularly critical for organizations relying on the Premium version of the plugin where 2FA is implemented. Since WordPress powers a large portion of European websites, including governmental, educational, and commercial entities, the threat surface is broad. The lack of authentication and user interaction requirements makes exploitation feasible by remote attackers, increasing the urgency for mitigation.

1. Immediate action should include disabling or uninstalling the User Profile Builder plugin until a security patch is released. 2. Monitor the plugin vendor’s official channels for updates and apply patches promptly once available. 3. Implement compensating controls such as web application firewalls (WAFs) to restrict access to the vulnerable function endpoints or limit access to trusted IP addresses. 4. Conduct audits of user roles and 2FA settings to detect unauthorized changes. 5. Enforce strong password policies and monitor login attempts to detect suspicious activity. 6. Consider deploying additional multi-factor authentication solutions independent of the vulnerable plugin to maintain account security. 7. Regularly backup WordPress sites and configurations to enable quick recovery in case of compromise. 8. Educate site administrators about the risks and signs of exploitation related to this vulnerability.