CVE-2024-13767 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Live2DWebCanvas plugin for WordPress, affecting all versions up to 1.9.11. The root cause is insufficient validation of file paths in the ClearFiles() function, which is responsible for deleting files. This flaw allows authenticated users with Subscriber-level privileges or higher to delete arbitrary files on the server. Since Subscriber-level access is relatively low privilege in WordPress, this significantly lowers the barrier for exploitation. By deleting critical files such as wp-config.php, an attacker can disrupt the configuration and potentially trigger remote code execution or site takeover. The vulnerability has a CVSS 3.1 base score of 8.1, reflecting its high impact on integrity and availability, with network attack vector, low attack complexity, and no user interaction required. Although no known exploits are currently in the wild, the vulnerability poses a serious risk to WordPress sites using this plugin, especially those that allow user registration or have multiple users with Subscriber or higher roles. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.

The impact of CVE-2024-13767 is significant for organizations running WordPress sites with the Live2DWebCanvas plugin. Attackers with minimal authenticated access can delete arbitrary files, potentially removing critical configuration files like wp-config.php, which can lead to remote code execution and full site compromise. This threatens the integrity and availability of the website and can result in data loss, service disruption, and reputational damage. For organizations relying on WordPress for business operations, e-commerce, or content delivery, exploitation could lead to downtime, loss of customer trust, and financial losses. Additionally, if attackers achieve remote code execution, they may pivot to internal networks, escalating the threat beyond the web server. The vulnerability's ease of exploitation by low-privilege users increases the risk, especially for sites with open registrations or multiple user roles.

1. Immediately restrict user registration or reduce the number of users with Subscriber-level or higher privileges until a patch is available. 2. Monitor and audit user activities, especially file deletion requests, to detect suspicious behavior related to the ClearFiles() function. 3. Implement Web Application Firewall (WAF) rules to detect and block requests attempting to exploit file deletion functionality in the Live2DWebCanvas plugin. 4. If possible, disable or remove the Live2DWebCanvas plugin temporarily to eliminate the attack surface. 5. Regularly back up WordPress site files and databases to enable quick restoration in case of file deletion or compromise. 6. Follow vendor announcements closely and apply patches or updates as soon as they are released. 7. Harden file permissions on the server to restrict deletion rights to only necessary system processes and administrators. 8. Employ intrusion detection systems to alert on unusual file system changes or deletions. These steps go beyond generic advice by focusing on access control, monitoring, and proactive defense tailored to the plugin’s vulnerability.