CVE-2024-3609 is a vulnerability classified under CWE-862 (Missing Authorization) found in the ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress. The issue stems from the absence of a capability check in the reviewx_remove_guest_image function, which is responsible for deleting guest user images attached to reviews. This missing authorization allows any authenticated user with subscriber-level privileges or higher to invoke this function and delete attachments arbitrarily. Since WordPress subscriber roles are commonly assigned to registered users with minimal privileges, this vulnerability significantly lowers the barrier for exploitation. The flaw affects all versions of the plugin up to and including 1.6.27. The CVSS v3.1 base score is 4.3, reflecting a medium severity due to the network attack vector, low attack complexity, and the requirement for privileges but no user interaction. The vulnerability impacts the integrity of stored data by enabling unauthorized deletion but does not affect confidentiality or availability directly. No patches or fixes are currently linked in the provided data, and no known exploits have been reported in the wild. The vulnerability is particularly relevant for e-commerce websites using WooCommerce with the ReviewX plugin, where review images and attachments are integral to user-generated content and trustworthiness.

The primary impact of CVE-2024-3609 is unauthorized deletion of attachments related to user reviews, which compromises data integrity. For organizations, this can result in loss of valuable user-generated content, undermining customer trust and potentially affecting sales and reputation. Although the vulnerability does not directly affect confidentiality or availability, the deletion of review images can degrade the user experience and the perceived reliability of the e-commerce platform. Attackers with subscriber-level access, which is relatively easy to obtain, can exploit this flaw to remove legitimate content or conduct targeted attacks against specific attachments. This could be leveraged in broader social engineering or reputation damage campaigns. The scope is limited to sites using the vulnerable plugin, but given WooCommerce's popularity and the widespread use of ReviewX, the number of affected sites could be substantial. Organizations relying on this plugin for customer reviews should consider the risk of data tampering and the potential operational impact of content loss.

To mitigate CVE-2024-3609, organizations should first verify if they are using the ReviewX plugin version 1.6.27 or earlier. Immediate mitigation includes restricting subscriber-level user capabilities to prevent unauthorized access or deletion of attachments. Administrators should audit user roles and permissions, ensuring that only trusted users have subscriber or higher access. If possible, temporarily disable the plugin or the affected functionality until a patch is released. Monitoring and logging deletion events related to review attachments can help detect exploitation attempts. Implementing a Web Application Firewall (WAF) with custom rules to block suspicious requests targeting the reviewx_remove_guest_image function may reduce risk. Regular backups of review data and attachments are essential to recover from any unauthorized deletions. Organizations should stay alert for official patches or updates from the vendor and apply them promptly once available. Additionally, consider isolating or sandboxing user-generated content to limit the impact of unauthorized deletions.