CVE-2024-1710 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Addon Library plugin for WordPress, developed by unitecms. The issue arises because the onAjaxAction function lacks proper capability checks, allowing authenticated users with minimal privileges (subscriber-level or above) to bypass authorization controls. This enables them to execute unauthorized actions such as uploading arbitrary files to the server. Since WordPress is widely used globally and the Addon Library plugin is integrated into many sites, this vulnerability can be exploited remotely over the network without user interaction. The CVSS 3.1 base score of 8.8 reflects the vulnerability’s high impact on confidentiality, integrity, and availability, as attackers can upload malicious files that may lead to remote code execution, data leakage, or site defacement. The vulnerability affects all versions up to and including 1.3.76, and no patches or updates are currently linked, increasing the urgency for mitigation. Although no known exploits are publicly reported, the low attack complexity and lack of required user interaction make this a critical risk for WordPress sites using this plugin. The vulnerability was reserved and disclosed in February 2024, with enrichment from CISA, highlighting its significance in the security community.

The impact of CVE-2024-1710 is substantial for organizations running WordPress sites with the vulnerable Addon Library plugin. Attackers with subscriber-level access can upload arbitrary files, potentially leading to remote code execution, website defacement, data theft, or pivoting within the network. This compromises the confidentiality, integrity, and availability of the affected systems. Given WordPress's extensive use in small to large enterprises, e-commerce, government, and media websites, exploitation could result in significant operational disruption, reputational damage, and regulatory compliance issues. The vulnerability’s ease of exploitation and broad scope increase the likelihood of targeted attacks and automated scanning by threat actors. Organizations without strict access controls or monitoring are particularly at risk, as attackers only need minimal privileges to exploit the flaw.

To mitigate CVE-2024-1710, organizations should immediately verify if the Addon Library plugin is installed and identify the version in use. Since no official patch links are provided yet, temporary mitigations include restricting subscriber-level user capabilities to prevent access to plugin AJAX actions, implementing Web Application Firewall (WAF) rules to block suspicious AJAX requests targeting the onAjaxAction function, and disabling or removing the vulnerable plugin if it is not essential. Monitoring web server logs for unusual file upload activity and scanning for unauthorized files can help detect exploitation attempts. Organizations should also follow unitecms and WordPress security advisories closely for official patches or updates. Applying the principle of least privilege to user roles and enforcing multi-factor authentication can reduce the risk of compromised accounts being leveraged for exploitation.