CVE-2024-13232 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress Awesome Import & Export Plugin developed by ddeveloper. The flaw exists in the renderImport() function, which lacks proper capability checks, allowing authenticated users with low-level privileges (Subscriber and above) to execute arbitrary SQL statements on the backend database. This arbitrary SQL execution can be leveraged to escalate privileges, notably by creating new administrative user accounts, thereby granting attackers full control over the WordPress site. The vulnerability affects all plugin versions up to and including 4.1.1. The CVSS 3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The vulnerability is remotely exploitable over the network by any authenticated user, making it particularly dangerous in multi-user WordPress environments. No patches or official fixes have been linked yet, and no known exploits are publicly reported, but the potential for damage is significant. This vulnerability underscores the critical need for strict authorization checks in WordPress plugins, especially those handling import/export operations that interact directly with the database.

The impact of CVE-2024-13232 is severe for organizations running WordPress sites with the affected plugin installed. Attackers with minimal privileges can execute arbitrary SQL commands, leading to full site compromise through privilege escalation. This can result in unauthorized data access, data manipulation, creation of backdoor administrative accounts, and potential site defacement or downtime. The breach of confidentiality and integrity can expose sensitive user data and intellectual property, while availability may be disrupted by malicious database operations. For organizations relying on WordPress for business-critical websites, this vulnerability poses a significant risk of reputational damage, regulatory non-compliance, and financial loss. The ease of exploitation and lack of required user interaction increase the likelihood of targeted attacks, especially in environments with multiple authenticated users such as membership sites, forums, or multi-author blogs.

To mitigate CVE-2024-13232, organizations should immediately restrict plugin usage to trusted users only and audit user roles to minimize the number of accounts with Subscriber-level or higher access. Disable or uninstall the WordPress Awesome Import & Export Plugin if it is not essential. Monitor and review user account creation logs for suspicious activity, particularly the addition of new administrators. Implement Web Application Firewall (WAF) rules to detect and block unusual SQL queries or attempts to access the vulnerable function. Until an official patch is released, consider applying custom authorization checks by modifying the plugin code to enforce capability verification in the renderImport() function. Regularly back up WordPress databases and files to enable recovery from potential compromise. Additionally, keep WordPress core and all plugins updated and subscribe to security advisories for timely patching once available.