CVE-2024-12018 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the aliakro Snippet Shortcodes plugin for WordPress in all versions up to and including 4.1.6. The core issue arises from the plugin's failure to properly authorize requests to delete shortcodes. While the plugin implements a nonce mechanism intended to authenticate such actions, the nonce value is leaked, effectively bypassing this protection. This flaw allows any authenticated user with at least Subscriber-level privileges to delete shortcode entries arbitrarily. Since Subscribers typically have minimal permissions, this vulnerability significantly lowers the attack threshold within a WordPress environment. The attack vector is remote (network accessible) and requires no user interaction beyond authentication. The impact is primarily on data integrity, as unauthorized deletion of shortcodes can disrupt website content rendering or functionality dependent on those shortcodes. Confidentiality and availability are not directly impacted. No known exploits have been reported in the wild, but the vulnerability is publicly disclosed and documented in the CVE database. The CVSS v3.1 base score is 4.3, reflecting low complexity and limited impact scope. The vulnerability highlights the importance of robust authorization checks beyond nonce validation in WordPress plugins, especially for actions modifying persistent data.

The vulnerability allows authenticated users with minimal privileges (Subscriber-level) to delete shortcode data, which can lead to unauthorized modification of website content and functionality. This can disrupt user experience, break site features relying on shortcodes, and potentially cause administrative overhead to restore lost data. While it does not expose sensitive information or cause denial of service, the integrity compromise can undermine trust in the affected website. For organizations relying heavily on the aliakro Snippet Shortcodes plugin to manage dynamic content, this could result in operational disruptions and increased support costs. Attackers could leverage compromised low-privilege accounts or social engineering to gain access and exploit this flaw. Although no known exploits are currently active, the public disclosure increases the risk of future exploitation. The impact is mostly limited to WordPress sites using this specific plugin, but given WordPress's widespread use, the overall affected population is significant.

1. Immediately update the aliakro Snippet Shortcodes plugin to a patched version once available. Since no patch links are currently provided, monitor the vendor's official channels for updates. 2. Restrict user roles and permissions rigorously, minimizing the number of users with Subscriber-level or higher access, especially on sites where this plugin is installed. 3. Implement additional access control mechanisms at the web server or application firewall level to detect and block suspicious shortcode deletion requests. 4. Audit and monitor logs for unusual shortcode deletion activities, particularly from low-privilege accounts. 5. Consider temporarily disabling the Snippet Shortcodes plugin if it is not critical to site operations until a patch is released. 6. Educate site administrators about the risks of privilege escalation and the importance of strong authentication controls to prevent unauthorized access. 7. Employ security plugins that can detect and alert on unauthorized changes to WordPress content or plugin data. 8. Review nonce implementation practices in custom plugins or themes to avoid similar authorization bypass issues.