The vulnerability identified as CVE-2024-13717 affects the 'Contact Form and Calls To Action by vcita' WordPress plugin, versions up to and including 2.7.1. It is categorized under CWE-862, which refers to missing authorization. Specifically, the plugin's AJAX handler functions 'vcita_ajax_toggle_ae' and 'vcita_ajax_toggle_contact' lack proper capability checks, allowing authenticated users with subscriber-level permissions or higher to toggle the enabled state of widgets. This means that attackers who have minimal authenticated access can modify widget states without the intended administrative authorization. The vulnerability does not expose sensitive data or allow denial of service but permits unauthorized modification of plugin behavior, potentially disrupting site functionality or user experience. The CVSS 3.1 base score is 4.3 (medium), reflecting low impact on integrity and no impact on confidentiality or availability. Exploitation requires network access and valid credentials but no user interaction beyond login. No public exploits are known, and no official patches have been released at the time of this report. The vulnerability was published on January 31, 2025, and assigned by Wordfence. Given the widespread use of WordPress and the popularity of vcita plugins for business contact forms, this vulnerability could affect many websites if left unmitigated.

The primary impact of CVE-2024-13717 is unauthorized modification of widget states within affected WordPress sites. While it does not compromise sensitive data or cause service outages, unauthorized enabling or disabling of widgets can disrupt website functionality, degrade user experience, or interfere with business operations relying on contact forms and calls to action. Attackers with subscriber-level access, which is a low privilege role, can exploit this to alter site behavior without administrative approval. This could be leveraged in combination with other vulnerabilities or social engineering to escalate attacks or cause reputational damage. Organizations relying on the vcita plugin for customer engagement or lead generation may face operational disruptions or loss of trust if attackers manipulate their site widgets. The vulnerability's medium severity reflects its limited but non-negligible risk, especially in environments where subscriber accounts are easily obtained or compromised.

To mitigate CVE-2024-13717, organizations should: 1) Immediately review and restrict subscriber-level user accounts to only trusted individuals, minimizing the risk of unauthorized access. 2) Monitor and audit user activities related to widget management to detect unauthorized toggling. 3) Temporarily disable or remove the 'Contact Form and Calls To Action by vcita' plugin if subscriber access cannot be tightly controlled until a patch is released. 4) Follow vcita and WordPress security advisories closely and apply official patches or updates as soon as they become available. 5) Consider implementing additional access control plugins or custom code to enforce capability checks on the affected AJAX functions as a temporary workaround. 6) Harden WordPress installations by enforcing strong authentication, limiting plugin installations, and employing web application firewalls to detect anomalous AJAX requests. These steps go beyond generic advice by focusing on user role management, monitoring, and temporary compensating controls specific to this vulnerability.