CVE-2024-10677 is a medium-severity vulnerability classified under CWE-352, which corresponds to Cross-Site Request Forgery (CSRF). This vulnerability affects the BTEV WordPress plugin up to version 2.0.2. The core issue is the absence of CSRF protections when updating plugin settings. Specifically, the plugin does not implement any CSRF token or similar mechanism to verify that requests to change settings originate from legitimate, authenticated users. Consequently, an attacker can craft a malicious web request that, when visited by an authenticated WordPress administrator, causes unintended changes to the plugin's configuration without the admin's explicit consent. The CVSS 3.1 score is 4.3, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) shows that the attack can be performed remotely over the network, requires low attack complexity, no privileges, but does require user interaction (the admin must visit a malicious page). The impact is limited to integrity, as confidentiality and availability are not affected. No known exploits are currently in the wild, and no patches or fixes have been published yet. The vulnerability was assigned by WPScan and published in May 2025.

For European organizations using WordPress sites with the BTEV plugin installed (up to version 2.0.2), this vulnerability poses a risk of unauthorized configuration changes. Since the attack requires an authenticated admin to visit a malicious page, the threat is primarily to organizations with less stringent user security awareness or where admins frequently access untrusted sites. The integrity of the plugin's settings could be compromised, potentially leading to misconfigurations that degrade site functionality or open additional attack vectors. While the vulnerability does not directly expose sensitive data or cause denial of service, altered settings could indirectly weaken security or disrupt business operations. Given the widespread use of WordPress in Europe, especially among SMEs and public sector websites, the risk is non-negligible. However, the lack of known exploits and the requirement for user interaction somewhat limit the immediate threat level.

European organizations should immediately audit their WordPress installations to identify the presence of the BTEV plugin and verify its version. Until an official patch is released, administrators should restrict access to the WordPress admin interface to trusted networks or VPNs to reduce exposure. Implementing Content Security Policy (CSP) and SameSite cookies can help mitigate CSRF risks. Educating administrators about the dangers of clicking on untrusted links while logged into WordPress is critical. Additionally, organizations can deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious POST requests targeting the plugin's settings endpoints. Monitoring logs for unusual configuration changes and enabling multi-factor authentication (MFA) for admin accounts will further reduce risk. Once a patch is available, prompt updating is essential.