CVE-2024-13703 is a vulnerability identified in the WordPress plugin CRM and Lead Management by vcita, affecting all versions up to and including 2.7.1. The root cause is a missing capability check in the function vcita_ajax_toggle_ae(), which is responsible for toggling plugin widgets on or off. This missing authorization allows any authenticated user with at least Subscriber-level privileges to modify plugin widget states without proper permission validation. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to verify whether the user has the right to perform the requested action. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and low privileges (authenticated user), with no user interaction needed. The impact is limited to integrity, as attackers can alter plugin widget configurations, potentially disrupting site functionality or misleading site administrators. There is no direct impact on confidentiality or availability. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The vulnerability affects a widely used WordPress plugin, which is popular among small to medium businesses for CRM and lead management tasks integrated into WordPress sites.

The primary impact of CVE-2024-13703 is unauthorized modification of plugin widget settings within affected WordPress sites. Attackers with Subscriber-level access can enable or disable widgets, which may disrupt normal site operations, degrade user experience, or interfere with business processes relying on the plugin's functionality. While this does not directly compromise sensitive data confidentiality or cause denial of service, it undermines the integrity of the plugin's configuration and can be leveraged as part of a broader attack chain, such as preparing for privilege escalation or social engineering. Organizations relying on this plugin for customer relationship management or lead tracking may experience operational disruptions or loss of trust if attackers manipulate visible site components. Since exploitation requires authenticated access, the risk is higher in environments with weak user access controls or where Subscriber accounts are easily compromised or created. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits after public disclosure.

To mitigate CVE-2024-13703, organizations should: 1) Update the CRM and Lead Management by vcita plugin to a version that includes the authorization check fix once released by the vendor. 2) In the interim, restrict Subscriber-level user creation and review existing user roles to ensure minimal privileges are assigned. 3) Implement strict user access controls and monitor for unusual widget toggling activity in the WordPress admin interface. 4) Use Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized AJAX requests targeting the vcita_ajax_toggle_ae() function. 5) Conduct regular audits of plugin configurations and user activity logs to detect unauthorized changes. 6) Educate site administrators about the risk of granting unnecessary privileges and encourage the use of strong authentication mechanisms such as MFA to reduce the likelihood of account compromise. 7) Consider temporarily disabling or removing the plugin if it is not critical to operations until a patch is available.