CVE-2024-4390 is an authorization vulnerability classified under CWE-863 affecting the Slider & Popup Builder by Depicter WordPress plugin, versions up to and including 3.0.2. The flaw allows authenticated users with contributor-level access or higher to generate arbitrary valid nonces for any WordPress action or function. Nonces in WordPress are security tokens used to verify that requests are intentional and authorized, protecting against CSRF and unauthorized actions. By exploiting this vulnerability, an attacker can bypass nonce-based authorization controls, effectively invoking protected functionality that should be restricted. This could lead to unauthorized changes or actions within the WordPress environment, such as content modification, configuration changes, or other administrative tasks depending on the invoked functions. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 score of 6.5 reflects a medium severity, considering the network attack vector, low attack complexity, requirement for privileges (contributor or above), no user interaction, and high confidentiality impact but no integrity or availability impact. No known public exploits or patches are currently available, increasing the urgency for organizations to monitor and apply updates once released. The vulnerability affects all versions of the plugin up to 3.0.2, which is widely used in WordPress sites for adding sliders, popups, and carousel features.

The primary impact of CVE-2024-4390 is unauthorized privilege escalation within WordPress sites using the affected plugin. An attacker with contributor or higher privileges can generate valid nonces arbitrarily, bypassing nonce-based authorization checks. This can lead to unauthorized execution of protected actions, potentially exposing sensitive data or enabling further compromise. While the vulnerability does not directly affect availability or integrity, the confidentiality impact is high as attackers can access or manipulate data not normally accessible at their privilege level. This could facilitate lateral movement or privilege escalation to administrator roles if combined with other vulnerabilities or misconfigurations. Organizations relying on this plugin for website functionality risk unauthorized content changes, exposure of sensitive information, or manipulation of site behavior. The lack of known exploits reduces immediate risk, but the vulnerability’s presence in a popular WordPress plugin makes it a likely target for future attacks. The medium severity rating suggests a moderate but significant risk, especially for sites with multiple contributors or less restrictive access controls.

1. Immediately review user roles and permissions on WordPress sites using the affected plugin to ensure only trusted users have contributor or higher access. 2. Monitor official plugin channels and WordPress security advisories for patches addressing CVE-2024-4390 and apply updates promptly once available. 3. Implement additional access controls or web application firewall (WAF) rules to detect and block suspicious nonce generation or abnormal requests targeting the plugin’s endpoints. 4. Restrict plugin usage to only necessary sites and consider disabling or uninstalling the plugin if not essential. 5. Conduct regular audits of WordPress user activity and logs to detect unauthorized actions potentially exploiting this vulnerability. 6. Employ the principle of least privilege by limiting contributor roles and reviewing custom roles that may have elevated permissions. 7. Use security plugins that enhance nonce validation or provide additional authorization layers for critical actions. 8. Educate site administrators and contributors about the risks of privilege misuse and encourage strong credential management to prevent account compromise.