CVE-2024-12114 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress. The vulnerability exists in all versions up to and including 2.4.29. It arises from an Insecure Direct Object Reference (IDOR) in the foogallery_attachment_modal_save AJAX action, where the plugin fails to properly validate the 'img_id' parameter, which is user-controlled. This lack of validation allows authenticated users with roles granted access below 'Editor' (such as Gallery Creators) to update arbitrary posts and pages, bypassing intended authorization controls. The attack vector requires the attacker to be authenticated with at least the Gallery Creator role and does not require user interaction beyond this. The vulnerability does not affect confidentiality or availability but compromises integrity by allowing unauthorized content modification. The CVSS v3.1 score is 4.3 (medium severity), reflecting low complexity of attack but limited impact scope. No public exploits have been reported yet, and no official patches are linked at this time. The vulnerability highlights the importance of strict authorization checks on user-supplied identifiers in AJAX endpoints within WordPress plugins.

The primary impact of CVE-2024-12114 is unauthorized modification of website content, which can undermine the integrity and trustworthiness of affected WordPress sites. Attackers with authenticated access at the Gallery Creator role or higher can alter posts and pages arbitrarily, potentially injecting misleading information, defacing content, or inserting malicious code such as links or scripts. Although confidentiality and availability are not directly impacted, the integrity breach could lead to reputational damage, loss of user trust, and indirect security risks if malicious content is introduced. Organizations relying on FooGallery for content presentation, especially those with multiple contributors or less restrictive role configurations, face increased risk. The vulnerability could be exploited in targeted attacks against websites with valuable content or high visibility. Since no known exploits are currently in the wild, the risk is moderate but could escalate if weaponized. The scope is limited to WordPress sites using the vulnerable plugin versions and having permissive Gallery Creator role settings.

To mitigate CVE-2024-12114, organizations should first audit their WordPress installations to identify the use of the FooGallery plugin and verify the version in use. Immediate steps include restricting the Gallery Creator role permissions to 'Editor' or higher to prevent lower-privileged users from exploiting the vulnerability. Administrators should review and tighten user role assignments, ensuring only trusted users have content modification capabilities. Monitoring AJAX requests related to foogallery_attachment_modal_save for unusual activity can help detect exploitation attempts. Since no official patch is currently linked, organizations should subscribe to vendor or security mailing lists for updates and apply patches promptly once released. Additionally, implementing web application firewalls (WAFs) with custom rules to block suspicious parameter tampering on the 'img_id' field can provide temporary protection. Regular backups of website content are recommended to enable recovery from unauthorized changes. Finally, educating site administrators and content creators about the risks of role misconfiguration and enforcing the principle of least privilege will reduce exposure.