CVE-2024-1385 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WP-Stateless – Google Cloud Storage plugin for WordPress, maintained by andypotanin. The issue exists in the dismiss_notices() function, which lacks proper capability checks, allowing any authenticated user with subscriber-level privileges or above to invoke this function. This improper authorization enables attackers to update arbitrary option values within the WordPress site to the current time, which can disrupt normal operations and potentially render the site offline. The vulnerability affects all plugin versions up to and including 3.4.0. The CVSS v3.1 base score is 7.1, reflecting a high severity due to the network attack vector, low attack complexity, and the requirement for low privileges (authenticated subscriber). The impact primarily affects availability, as the attacker can cause denial of service by corrupting or manipulating critical site options. No user interaction beyond authentication is needed, and the scope is limited to the affected WordPress installations using this plugin. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability presents a clear risk for sites using this plugin without proper access controls or mitigations.

The vulnerability can lead to significant availability issues for WordPress sites using the WP-Stateless plugin, as attackers with minimal privileges can manipulate site options to disrupt service. This can result in downtime, loss of user trust, and potential revenue loss for affected organizations. Since the attacker only needs subscriber-level access, which is commonly granted to registered users or contributors, the attack surface is broad within compromised or poorly managed sites. The integrity of site configuration is also at risk, potentially leading to further exploitation or persistent denial of service conditions. Organizations relying on this plugin for Google Cloud Storage integration in WordPress face operational risks, especially those with high traffic or critical web presence. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as proof-of-concept exploits could emerge rapidly.

1. Immediately restrict subscriber-level user capabilities to the minimum necessary, reviewing user roles and permissions to limit potential attackers. 2. Monitor and audit user activity for suspicious changes to site options or unusual behavior from low-privilege accounts. 3. Apply any forthcoming patches or updates from the plugin vendor as soon as they are released. 4. If no patch is available, consider temporarily disabling or removing the WP-Stateless plugin until a fix is provided. 5. Implement Web Application Firewall (WAF) rules to detect and block unauthorized attempts to invoke the dismiss_notices() function or modify options. 6. Harden WordPress installations by enforcing strong authentication, limiting user registrations, and employing multi-factor authentication for all users with elevated privileges. 7. Regularly back up site data and configurations to enable rapid recovery in case of disruption. 8. Engage in proactive vulnerability scanning and penetration testing focused on plugin authorization controls to detect similar issues.