The vulnerability identified as CVE-2024-13468 affects the 'Trash Duplicate and 301 Redirect' WordPress plugin developed by solwininfotech. The root cause is a missing authorization check (CWE-862) on the 'duplicates-action-top' action, which is responsible for handling duplicate content management and redirection tasks within the plugin. Because this action lacks proper capability verification, unauthenticated attackers can invoke it to delete arbitrary posts or pages on the affected WordPress site. This deletion capability directly compromises the integrity of website content, potentially leading to significant data loss. The vulnerability affects all versions of the plugin up to and including version 1.9. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). Although no public exploits have been reported yet, the ease of exploitation and the critical nature of content deletion make this a serious threat for WordPress sites using this plugin. The vulnerability was reserved in January 2025 and published in February 2025, but no patches have been released at the time of this report.

The primary impact of CVE-2024-13468 is unauthorized deletion of posts and pages, which compromises the integrity of website content. This can lead to significant operational disruption for organizations relying on WordPress for content management, including loss of critical business information, customer-facing content, and SEO rankings. The lack of authentication requirements means attackers can exploit this vulnerability remotely without any credentials, increasing the risk of widespread abuse. Although availability and confidentiality are not directly affected, the loss of data integrity can indirectly impact business continuity and trustworthiness of the affected websites. Organizations may face reputational damage, loss of user trust, and potential financial losses due to downtime or recovery efforts. The vulnerability is particularly impactful for websites that do not have frequent backups or robust content recovery mechanisms. Given WordPress's global popularity, the scope of affected systems is broad, especially for sites that have installed this specific plugin.

1. Immediately disable or uninstall the 'Trash Duplicate and 301 Redirect' plugin until an official patch or update is released by solwininfotech. 2. If disabling the plugin is not feasible, restrict access to the WordPress admin area and plugin endpoints using web application firewalls (WAFs) or IP whitelisting to prevent unauthenticated access to the vulnerable action. 3. Implement strict role-based access controls within WordPress to limit plugin management capabilities to trusted administrators only. 4. Regularly back up WordPress site content and databases to enable rapid recovery in case of unauthorized deletions. 5. Monitor WordPress logs and web server logs for unusual POST requests or activity targeting the 'duplicates-action-top' action. 6. Stay informed about updates from the plugin vendor and apply patches promptly once available. 7. Consider using alternative plugins with better security track records if the plugin remains unpatched for an extended period. 8. Employ security plugins that can detect and block unauthorized content deletion attempts or suspicious administrative actions.