CVE-2024-1042 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WP Radio – Worldwide Online Radio Stations Directory plugin for WordPress, maintained by princeahmed. The flaw exists in all plugin versions up to and including 3.1.9 due to the absence of proper capability checks on several AJAX endpoints. These endpoints handle critical functions such as importing radio stations, deleting country entries, and modifying plugin settings. Because the plugin fails to verify whether the authenticated user has sufficient privileges before executing these actions, any user with subscriber-level access or higher can perform unauthorized modifications. This elevates the risk of data integrity compromise and can be leveraged to facilitate further attacks, including Cross-Site Scripting vulnerabilities (noted separately as CVE-2024-1041). The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches are currently linked, and no active exploitation has been reported. The vulnerability highlights the importance of enforcing strict authorization checks on all AJAX handlers in WordPress plugins to prevent privilege escalation and unauthorized data manipulation.

The vulnerability allows authenticated users with minimal privileges (subscriber or higher) to perform unauthorized actions that should be restricted to administrators or trusted roles. This can lead to unauthorized data modification, including importing malicious radio station entries, deleting legitimate country data, or altering plugin configurations. Such changes can degrade the integrity of the plugin’s data and functionality, potentially disrupting the user experience or enabling further attacks such as Cross-Site Scripting (CVE-2024-1041). For organizations relying on this plugin to provide online radio directories, this could result in reputational damage, loss of user trust, and potential exposure to additional web-based attacks. Since the vulnerability does not affect availability directly, denial of service is unlikely, but the scope change means that the attacker’s actions can affect resources beyond their original privileges, increasing risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate risk, especially for sites with many users or weak internal controls.

1. Immediately update the WP Radio plugin to a patched version once available from the vendor or plugin repository. 2. Until a patch is released, restrict user roles that have subscriber-level or higher access to trusted individuals only. 3. Implement a Web Application Firewall (WAF) with rules to monitor and block suspicious AJAX requests targeting the plugin’s endpoints. 4. Review and harden WordPress user role permissions to minimize unnecessary privileges. 5. Conduct an audit of existing radio station entries and plugin settings to detect unauthorized changes. 6. If feasible, disable or limit AJAX functionality for the plugin via custom code or security plugins to enforce authorization checks manually. 7. Monitor logs for unusual activity related to the plugin’s AJAX endpoints. 8. Educate site administrators about the risks of granting subscriber or higher access to untrusted users. 9. Consider isolating the plugin’s functionality or using alternative plugins with better security track records if timely patching is not possible.