CVE-2024-0366 identifies a security weakness in the Starbox – the Author Box for Humans WordPress plugin, specifically versions up to and including 3.4.7. The vulnerability is classified as CWE-284: Improper Access Control, manifesting as an Insecure Direct Object Reference (IDOR). The root cause is the absence of proper validation on a user-controlled key parameter within the plugin's action function. This flaw enables users with subscriber-level privileges—typically the lowest authenticated role in WordPress—to bypass intended access restrictions and retrieve sensitive plugin preferences and potentially other user settings. The vulnerability is remotely exploitable without requiring user interaction, leveraging the network attack vector. The CVSS v3.1 base score is 4.3 (medium severity), reflecting a low complexity attack with limited impact confined to confidentiality. There is no impact on integrity or availability. The vulnerability does not require elevated privileges beyond subscriber access, which is commonly granted to registered users on many WordPress sites. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability was reserved in early January 2024 and publicly disclosed in February 2024. Given the widespread use of WordPress and the popularity of Starbox as an author box plugin, this vulnerability could affect a broad range of websites globally, particularly those that allow subscriber registrations and have not updated the plugin.

The primary impact of CVE-2024-0366 is the unauthorized disclosure of plugin preferences and potentially other user settings to subscriber-level users. While this does not directly compromise site integrity or availability, it exposes sensitive configuration data that could aid attackers in crafting further attacks or reconnaissance. For organizations, this could lead to privacy violations, leakage of internal configuration details, and erosion of trust among users. In multi-user WordPress environments, such as membership sites, blogs, or corporate intranets, this vulnerability could allow low-privilege users to gain insights into administrative configurations. Although the vulnerability requires only subscriber-level access, many WordPress sites allow open registrations, increasing the attack surface. The lack of known exploits in the wild reduces immediate risk, but the ease of exploitation and public disclosure may lead to future exploitation attempts. Organizations relying on this plugin should consider the risk of information disclosure and potential escalation paths that could arise from leaked configuration data.

To mitigate CVE-2024-0366, organizations should immediately update the Starbox – the Author Box for Humans plugin to a patched version once available. In the absence of an official patch, administrators should implement strict access control checks on the plugin’s action functions, ensuring that only authorized roles (e.g., administrators or editors) can access sensitive plugin preferences. Restricting subscriber-level access to plugin settings via custom code or security plugins can reduce exposure. Additionally, monitoring user roles and registrations to prevent unauthorized subscriber accounts can limit attack vectors. Employing Web Application Firewalls (WAFs) with rules to detect and block suspicious requests targeting the vulnerable plugin endpoints can provide temporary protection. Regularly auditing WordPress plugins for updates and vulnerabilities, and disabling or removing unused plugins, will reduce overall risk. Finally, educating site administrators about the risks of granting subscriber access and encouraging the principle of least privilege will help mitigate similar issues.