CVE-2024-3072 is a vulnerability identified in the horiondigital ACF Front End Editor plugin for WordPress, affecting all versions up to and including 2.0.2. The issue stems from a missing authorization (capability) check in the update_texts() function, which is responsible for updating post titles, content, and ACF data. Due to this missing check, any authenticated user with subscriber-level access or higher can invoke this function to modify arbitrary post data without proper permissions. This vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS 3.1 base score of 4.3 (medium severity), reflecting its moderate impact. The attack vector is network-based (remote), requires low attack complexity, and only requires privileges equivalent to a subscriber role, which is commonly assigned to registered users on WordPress sites. No user interaction beyond authentication is needed, and the scope is unchanged, meaning the vulnerability affects only the plugin's data and not the entire system. Although no public exploits are known at this time, the vulnerability could be leveraged to tamper with website content, potentially leading to misinformation, defacement, or manipulation of site data. The plugin is widely used in WordPress environments that utilize Advanced Custom Fields for front-end content editing, making the vulnerability relevant to many websites that rely on this plugin for user-generated content management.

The primary impact of CVE-2024-3072 is the unauthorized modification of website content, including post titles, body content, and custom fields managed by the ACF Front End Editor plugin. This compromises the integrity of the affected websites, potentially allowing attackers with minimal privileges to alter published information, which could lead to misinformation, reputational damage, or the insertion of malicious content such as phishing links or malware distribution. While confidentiality and availability are not directly impacted, the integrity breach can undermine user trust and damage organizational credibility. For organizations relying on WordPress for content management, especially those with multiple user roles and contributors, this vulnerability increases the risk of insider threats or compromised low-privilege accounts being leveraged for unauthorized content changes. The ease of exploitation and the commonality of subscriber-level accounts make this a notable risk for a broad range of websites, from small blogs to larger corporate sites using the plugin. Although no known exploits are currently reported, the vulnerability's presence in all plugin versions up to 2.0.2 means many sites remain exposed until patched.

To mitigate CVE-2024-3072, organizations should first verify if they are using the horiondigital ACF Front End Editor plugin and identify the version in use. Immediate steps include restricting subscriber-level user capabilities to the minimum necessary and auditing user roles to ensure only trusted users have access to the site backend. Until an official patch is released, consider disabling or removing the plugin if it is not essential. For sites requiring the plugin, monitor for updates from the vendor and apply patches promptly once available. Additionally, implement strong authentication controls such as multi-factor authentication (MFA) to reduce the risk of account compromise. Regularly review and monitor logs for unusual content modifications or user activity indicative of exploitation attempts. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the update_texts() function or related plugin endpoints. Finally, educate site administrators and content managers about the risk and encourage prompt reporting of unexpected content changes.