CVE-2024-3663 is a vulnerability identified in the WP Scraper plugin for WordPress, affecting all versions up to and including 5.7. The root cause is a missing authorization check (CWE-862) in the function wp_scraper_multi_scrape_action(), which fails to verify whether the authenticated user has the necessary capabilities before allowing the creation of pages and posts. This flaw enables any authenticated user with subscriber-level privileges or higher to bypass intended access controls and create arbitrary content on the affected WordPress site. The vulnerability does not require user interaction and can be exploited remotely over the network, as the attack vector is network-based with low attack complexity. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the limited impact on confidentiality and availability but a clear impact on integrity. No patches or fixes have been officially released at the time of publication, and no known exploits have been observed in the wild. The vulnerability is particularly concerning for multi-user WordPress environments where subscriber accounts exist, as it allows unauthorized content injection that could be used for defacement, phishing, or spreading misinformation. The lack of proper capability checks indicates a design oversight in the plugin's access control implementation.

The primary impact of CVE-2024-3663 is the unauthorized modification of website content integrity by allowing low-privileged authenticated users to create arbitrary pages and posts. This can lead to website defacement, insertion of malicious or misleading content, and potential reputational damage for organizations. While confidentiality and availability are not directly affected, the integrity compromise can facilitate secondary attacks such as phishing campaigns or malware distribution through injected content. Organizations relying on WP Scraper in multi-user environments face elevated risk, especially if subscriber accounts are widely distributed or compromised. The ease of exploitation and lack of user interaction requirements increase the likelihood of abuse in compromised environments. Although no known exploits are currently reported, the vulnerability's presence in a popular WordPress plugin means attackers may develop exploits in the near future, increasing risk exposure. The impact is more pronounced for organizations with public-facing WordPress sites that depend on WP Scraper for content aggregation or scraping tasks.

To mitigate CVE-2024-3663, organizations should immediately review user roles and permissions on WordPress sites using the WP Scraper plugin, restricting subscriber-level accounts from unnecessary access or disabling the plugin if not essential. Applying the principle of least privilege by limiting subscriber accounts or removing unnecessary accounts reduces attack surface. Monitor for plugin updates or patches from the vendor and apply them promptly once available. In the absence of an official patch, consider implementing custom access control checks or disabling the vulnerable function via code modifications or hooks to prevent unauthorized execution. Employ web application firewalls (WAFs) with rules targeting suspicious POST requests to the wp_scraper_multi_scrape_action() endpoint. Regularly audit newly created pages and posts for unauthorized content and maintain comprehensive logging to detect exploitation attempts. Additionally, educate site administrators about the risks of granting subscriber-level access and encourage strong authentication practices to reduce account compromise likelihood.