CVE-2024-0366 is a vulnerability classified under CWE-284 (Improper Access Control) affecting the WordPress plugin 'Starbox – the Author Box for Humans' developed by cifi. This plugin is widely used to display author information in WordPress posts. The vulnerability exists in all versions up to and including 3.4.7. It arises from an Insecure Direct Object Reference (IDOR) issue within the plugin's 'action' function, where a user-controlled key parameter is not properly validated. This lack of validation allows users with subscriber-level privileges—typically the lowest level of authenticated users—to access plugin preferences and potentially other user settings that should be restricted. The vulnerability does not require elevated privileges beyond subscriber access, nor does it require user interaction beyond normal authenticated use. Although no known exploits have been reported in the wild, the flaw could be leveraged to gain unauthorized visibility into configuration data and user settings, potentially exposing sensitive information or enabling further privilege escalation attacks. The vulnerability impacts confidentiality by exposing restricted data, integrity is less directly affected, and availability is not impacted. No official patch links are currently available, indicating that mitigation may require manual intervention or plugin updates once released.

For European organizations, this vulnerability poses a moderate risk primarily to websites and services running WordPress with the Starbox plugin installed. Since WordPress is widely used across Europe for corporate, governmental, and personal websites, the exposure of plugin preferences and user settings could lead to information disclosure, undermining confidentiality. This could facilitate targeted attacks such as social engineering, privilege escalation, or lateral movement within compromised environments. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) could face compliance risks if unauthorized data access occurs. The impact is heightened for sectors relying heavily on WordPress for public-facing content, including media, education, and small to medium enterprises. However, the requirement for subscriber-level access limits the attack surface to environments where user registration or subscriber roles are enabled, which is common in community or membership sites. The vulnerability does not directly affect system availability or data integrity but could be a stepping stone for more severe attacks if combined with other vulnerabilities.

European organizations should immediately audit their WordPress installations to identify the presence of the Starbox – the Author Box for Humans plugin and verify the version in use. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict subscriber role creation and limit user registrations to trusted individuals only, reducing the number of potential attackers with subscriber access. 2) Implement Web Application Firewall (WAF) rules to monitor and block suspicious requests targeting the plugin's 'action' function, especially those attempting to manipulate user-controlled keys. 3) Review and harden WordPress user role permissions to ensure minimal privileges are granted and consider temporarily disabling the plugin if feasible. 4) Monitor logs for unusual access patterns or attempts to access plugin preferences by subscriber accounts. 5) Engage with the plugin vendor or community to track patch releases and apply updates promptly. 6) For high-risk environments, consider isolating WordPress instances or deploying additional access controls such as IP whitelisting for administrative areas.