CVE-2024-0595 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Awesome Support – WordPress HelpDesk & Support Plugin. The root cause is a missing capability check in the wpas_get_users() function, which is hooked into WordPress's AJAX system. This function can be invoked by authenticated users with subscriber-level privileges or higher, allowing them to retrieve user data, including email addresses, without proper authorization. The vulnerability affects all plugin versions up to and including 6.1.7. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts confidentiality only. There is no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability can be leveraged by attackers to harvest user information, potentially facilitating phishing or targeted attacks. The issue highlights the importance of implementing proper capability checks in AJAX handlers within WordPress plugins to prevent unauthorized data access.

The primary impact of CVE-2024-0595 is the unauthorized disclosure of user data, specifically email addresses, which compromises user privacy and confidentiality. For organizations, this can lead to increased risk of phishing campaigns, social engineering attacks, and reputational damage. Although the vulnerability does not allow modification or deletion of data, the exposure of user information can be leveraged as a stepping stone for more sophisticated attacks. Organizations relying on the Awesome Support plugin for customer support and helpdesk functions may face compliance issues with data protection regulations such as GDPR or CCPA if user data is leaked. The scope of impact depends on the number of users registered on the affected WordPress site and the sensitivity of the data exposed. Since exploitation requires only subscriber-level access, attackers may gain initial foothold through compromised low-privilege accounts or weak registration controls.

To mitigate CVE-2024-0595, organizations should first check for and apply any official patches or updates released by the Awesome Support plugin developers once available. In the absence of an official patch, administrators can implement the following specific mitigations: 1) Restrict user registration and enforce strong authentication policies to limit the number of subscriber-level accounts. 2) Use a Web Application Firewall (WAF) to monitor and block suspicious AJAX requests targeting the wpas_get_users() function. 3) Modify the plugin code to add explicit capability checks (e.g., verifying if the current user has appropriate roles such as 'support_agent' or 'administrator') before processing AJAX requests that return user data. 4) Limit exposure of user email addresses in the WordPress user profiles and consider anonymizing or masking sensitive fields where possible. 5) Monitor logs for unusual access patterns or repeated AJAX calls that could indicate exploitation attempts. 6) Educate users and administrators about the risks of phishing and social engineering that could stem from leaked user information. These targeted actions go beyond generic advice and address the specific nature of this vulnerability.