CVE-2024-12559 identifies a missing authorization vulnerability (CWE-862) in the ClickDesigns WordPress plugin developed by 1clickdesigns. The vulnerability exists because the plugin fails to perform capability checks on two critical functions: 'clickdesigns_add_api' and 'clickdesigns_remove_api'. These functions handle the addition and removal of the plugin's API key, which is essential for its operation and integration with external services. Due to the absence of proper authorization controls, unauthenticated attackers can invoke these functions remotely and modify or delete the API key without any credentials or user interaction. This flaw affects all versions of the plugin up to and including 1.8.0. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting its medium severity. The attack vector is network-based (remote), requires no privileges, and no user interaction, but the impact is limited to integrity (modification of API keys) without direct confidentiality or availability consequences. No public exploits or patches have been reported at the time of disclosure. The vulnerability was assigned by Wordfence and published on January 7, 2025. The lack of authorization checks could allow attackers to disrupt plugin functionality or potentially leverage the compromised API key for further malicious activities depending on the plugin's integration scope.

The primary impact of this vulnerability is the unauthorized modification or removal of the ClickDesigns plugin's API key, which compromises the integrity of the plugin's configuration. This can lead to denial of service or disruption of plugin features that rely on the API key, potentially affecting website functionality and user experience. Additionally, if the API key is used to authenticate with external services, attackers could manipulate or disable these integrations, causing broader operational issues. While confidentiality and availability are not directly impacted, the integrity breach could be leveraged as a foothold for further attacks, such as injecting malicious content or escalating privileges if combined with other vulnerabilities. Organizations using this plugin on WordPress sites are at risk of unauthorized configuration changes that may undermine trust and security of their web presence. The vulnerability's ease of exploitation without authentication increases the likelihood of opportunistic attacks, especially on sites with high visibility or critical business functions.

To mitigate this vulnerability, organizations should immediately update the ClickDesigns plugin to a version that includes proper authorization checks once available. Until a patch is released, administrators should restrict access to the WordPress REST API endpoints or AJAX handlers associated with the 'clickdesigns_add_api' and 'clickdesigns_remove_api' functions by implementing web application firewall (WAF) rules or IP whitelisting. Disabling or removing the plugin temporarily can be considered if the API key management is critical and no mitigations are feasible. Monitoring logs for suspicious requests targeting these functions can help detect exploitation attempts. Additionally, reviewing and rotating API keys after patching is recommended to invalidate any unauthorized changes. Developers maintaining the plugin should implement capability checks to ensure only authorized users (e.g., administrators) can modify API keys and conduct thorough security testing to prevent similar authorization bypass issues in the future.