CVE-2024-12028 is a vulnerability identified in the Friends plugin developed by akirk for WordPress, affecting all versions up to and including 3.2.1. The root cause is a missing authorization (capability) check on multiple REST API endpoints, which violates CWE-862 (Missing Authorization). This security gap allows unauthenticated attackers to interact with the plugin’s friend request functionality remotely without any credentials or user interaction. Specifically, attackers can send arbitrary friend requests on behalf of another website and accept friend requests for the targeted site, effectively impersonating the site in friend communications. This unauthorized manipulation of friend relationships can lead to integrity issues, as attackers can establish trust relationships that should not exist. The vulnerability does not expose confidential data directly nor does it allow denial of service, but it undermines the integrity of social interactions managed by the plugin. The CVSS v3.1 base score is 5.3 (medium), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, but partial integrity impact. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly by affected users.

The primary impact of this vulnerability is the unauthorized manipulation of friend relationships within WordPress sites using the akirk Friends plugin. Attackers can impersonate legitimate users or websites by sending and accepting friend requests without authorization, potentially enabling further social engineering or trust-based attacks within the compromised site’s ecosystem. This could lead to unauthorized communications, misinformation, or abuse of trust mechanisms that rely on friend relationships. While there is no direct data breach or service disruption, the integrity compromise can facilitate lateral attacks or reputation damage. Organizations relying on this plugin for community or social features may face risks of user trust erosion and indirect exploitation. Since exploitation requires no authentication and can be performed remotely, the vulnerability poses a moderate risk to any WordPress site using the affected plugin. The lack of known exploits in the wild reduces immediate threat but does not eliminate future risk, especially given the popularity of WordPress globally.

1. Immediate mitigation involves updating the akirk Friends plugin to a patched version once released by the vendor. Since no patch links are currently available, monitor official sources for updates. 2. As a temporary measure, restrict access to the vulnerable REST API endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests targeting the Friends plugin API paths. 3. Limit REST API access to authenticated and authorized users only, using WordPress capabilities or custom access control plugins. 4. Conduct an audit of friend relationships created recently to detect suspicious or unauthorized connections and remove them. 5. Disable or uninstall the Friends plugin if it is not essential to reduce attack surface. 6. Monitor logs for unusual friend request activities or API calls indicative of exploitation attempts. 7. Educate site administrators about the risk and ensure they follow least privilege principles for user roles interacting with social features. 8. Employ security plugins that can detect and block unauthorized REST API usage. These steps collectively reduce the risk until an official patch is applied.