CVE-2024-0791 is a vulnerability identified in the WOLF – WordPress Posts Bulk Editor and Manager Professional plugin, versions up to and including 1.0.8.1. The issue stems from missing authorization checks (CWE-862) in the functions wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term, which manage taxonomy terms within WordPress. This lack of capability verification allows any authenticated user with subscriber privileges or higher to perform unauthorized actions such as creating, modifying, or deleting taxonomy terms. Since taxonomy terms are critical for organizing content, unauthorized changes can disrupt site structure, SEO, and content integrity. The vulnerability is exploitable remotely without user interaction, requiring only authenticated access, which is commonly available to subscribers on many WordPress sites. The CVSS 3.1 base score is 4.3, indicating a medium severity primarily due to the limited impact on confidentiality and availability, but with a clear integrity impact. No public exploits have been reported yet, and no official patches were linked at the time of disclosure. The vulnerability was reserved on January 22, 2024, and published on February 5, 2024. The affected plugin is developed by realmag777 and is used globally wherever the plugin is installed on WordPress sites.

The primary impact of CVE-2024-0791 is on the integrity of WordPress sites using the affected plugin. Unauthorized users with subscriber-level access can manipulate taxonomy terms, potentially leading to disorganized content, misleading categorization, and SEO degradation. This can affect site usability and trustworthiness. While confidentiality and availability are not directly impacted, the unauthorized modification of taxonomy terms could be leveraged as part of a broader attack chain, such as defacement or content manipulation campaigns. Organizations relying on this plugin for content management risk reputational damage and operational disruption if attackers exploit this vulnerability. Since subscriber-level accounts are often easy to obtain or may be assigned to external contributors, the attack surface is significant. The vulnerability does not require user interaction, increasing the ease of exploitation. However, no known exploits are currently active in the wild, which somewhat limits immediate risk.

To mitigate CVE-2024-0791, organizations should first verify if they are using the WOLF – WordPress Posts Bulk Editor and Manager Professional plugin, particularly versions up to 1.0.8.1. If so, they should monitor the vendor’s channels for official patches and apply them promptly once available. In the absence of an official patch, administrators can implement strict role and capability management by restricting subscriber-level users from accessing or interacting with taxonomy management features. This can be done by customizing WordPress capabilities or using security plugins that enforce granular permissions. Additionally, auditing user roles and limiting subscriber account creation can reduce the risk of exploitation. Monitoring logs for unusual taxonomy term changes and implementing Web Application Firewalls (WAFs) with rules targeting unauthorized taxonomy modification attempts can provide additional defense. Regular backups of site content and taxonomy data are recommended to enable recovery from unauthorized changes.