CVE-2024-13716 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Forex Calculators plugin for WordPress, developed by tarborali. The issue exists in the ajax_settings_callback() function, which lacks proper capability checks to verify if the authenticated user has the necessary permissions to modify plugin settings. This flaw affects all versions up to and including 1.3.5. Because of this missing authorization, any authenticated user with at least Subscriber-level access can exploit the vulnerability to update the plugin's settings without administrative privileges. The vulnerability does not require user interaction beyond authentication and can be triggered remotely over the network (AV:N). The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) indicates that the attack complexity is low, privileges required are low (authenticated user), and there is no impact on confidentiality or availability, only integrity is affected. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability could be leveraged to alter plugin configurations, potentially enabling further attacks or misconfigurations within affected WordPress sites.

The primary impact of CVE-2024-13716 is the unauthorized modification of plugin settings, which compromises the integrity of the Forex Calculators plugin configuration. While it does not directly expose sensitive data or cause denial of service, unauthorized changes could lead to misbehavior of the plugin, incorrect financial calculations, or the introduction of malicious configurations that might facilitate further exploitation or data manipulation. Organizations relying on this plugin for financial calculations on WordPress sites could face reputational damage, loss of user trust, and potential financial inaccuracies affecting business decisions. Since exploitation requires authenticated access at Subscriber level or above, the risk is elevated in environments where user accounts are not tightly controlled or where attackers can gain low-level access through phishing or credential stuffing. The vulnerability's network accessibility and low complexity increase the likelihood of exploitation in poorly secured WordPress installations.

To mitigate CVE-2024-13716, organizations should immediately restrict Subscriber-level user permissions to only trusted individuals, minimizing the risk of unauthorized access. Administrators should audit user roles and capabilities to ensure no unnecessary privileges are granted. Since no official patch is currently available, consider temporarily disabling or removing the Forex Calculators plugin until a fix is released. Implement web application firewalls (WAFs) with custom rules to detect and block unauthorized ajax_settings_callback() requests from non-administrative users. Monitor plugin configuration changes and WordPress logs for suspicious activity indicative of exploitation attempts. Additionally, enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of account compromise. Stay updated with vendor announcements for patches and apply them promptly once available.