The vulnerability identified as CVE-2024-13776 affects the ZoomSounds - WordPress Wave Audio Player with Playlist plugin, specifically all versions up to and including 6.91. The core issue is a missing authorization check (CWE-862) on the 'dzsap_delete_notice' AJAX action and several other functions within the plugin. This flaw allows authenticated users with minimal privileges (Subscriber-level or higher) to modify option values on the WordPress site without proper permission validation. Attackers can exploit this to update options such as marking notices as 'seen' or toggling registration flags, which can lead to site errors and denial of service conditions. The vulnerability does not require user interaction beyond authentication and can be triggered remotely over the network. The CVSS 3.1 score of 8.1 reflects high impact on integrity and availability, with low attack complexity and no user interaction needed. Although no public exploits have been observed, the vulnerability presents a serious risk to WordPress sites using this plugin, as it enables privilege escalation and potential disruption of site functionality.

The primary impact of CVE-2024-13776 is unauthorized modification of WordPress site options by low-privileged authenticated users, which can lead to denial of service by causing site errors or misconfigurations. This compromises the integrity of site data and availability of services, potentially disrupting user access and site operations. Attackers could leverage this to escalate privileges indirectly or manipulate site behavior, affecting trust and user experience. Organizations relying on the ZoomSounds plugin for audio playback may face service outages or degraded functionality, impacting content delivery and user engagement. The vulnerability could also be used as a foothold for further attacks within the WordPress environment, increasing overall risk. Given the widespread use of WordPress and the popularity of audio player plugins, the threat has broad implications for website administrators and hosting providers worldwide.

To mitigate CVE-2024-13776, organizations should immediately update the ZoomSounds plugin to a patched version once available. In the absence of an official patch, administrators should restrict plugin access by limiting user roles that can interact with the plugin's AJAX actions, ideally removing Subscriber-level users' ability to trigger these functions. Implementing Web Application Firewall (WAF) rules to monitor and block unauthorized AJAX requests targeting 'dzsap_delete_notice' and related actions can reduce exploitation risk. Regularly audit user roles and permissions to ensure minimal necessary access is granted. Additionally, monitoring site logs for unusual option updates or AJAX activity can help detect exploitation attempts early. Backup site configurations and data frequently to enable quick recovery from denial of service conditions caused by exploitation. Finally, consider isolating or disabling the plugin if it is not critical to site operations until a secure version is deployed.