CVE-2024-4788 identifies a missing authorization vulnerability (CWE-862) in the Boostify Header Footer Builder for Elementor plugin for WordPress, specifically in the create_bhf_post function. This function lacks proper capability checks, allowing any authenticated user with subscriber-level permissions or higher to create new pages or posts containing arbitrary content. Since subscriber roles typically have limited capabilities, this vulnerability effectively elevates their ability to modify site content without proper authorization. The vulnerability affects all plugin versions up to and including 1.3.3. Exploitation requires no user interaction beyond authentication and can be performed remotely over the network. The impact is primarily on data integrity, as attackers can inject malicious or misleading content, potentially undermining site trustworthiness or facilitating further attacks such as phishing or social engineering. The CVSS 3.1 base score is 4.3, indicating a medium severity with network attack vector, low attack complexity, and low privileges required. No known public exploits or patches are currently available, but the vulnerability is publicly disclosed as of June 6, 2024. The plugin is widely used among WordPress sites employing Elementor for header and footer customization, increasing the potential attack surface.

Organizations using the Boostify Header Footer Builder for Elementor plugin are at risk of unauthorized content injection by low-privileged authenticated users. This can lead to reputational damage if malicious content is published, including phishing pages or misinformation. Although the vulnerability does not directly expose sensitive data or disrupt availability, the integrity compromise can facilitate broader attacks or erode user trust. Websites relying on this plugin for critical branding or navigation elements may experience defacement or manipulation of site structure. Attackers with subscriber-level access, which is commonly granted to registered users or commenters, can exploit this flaw without needing elevated privileges, increasing the risk in multi-user environments. The absence of known exploits reduces immediate risk, but the public disclosure may prompt attackers to develop exploits. The vulnerability could be leveraged in targeted attacks against organizations with public-facing WordPress sites using this plugin, especially those with large user bases or high traffic.

Until an official patch is released, organizations should restrict subscriber-level user capabilities to prevent unauthorized content creation, possibly by disabling or limiting user registrations or by using role management plugins to tighten permissions. Monitoring and auditing content creation activities for unusual posts or pages is recommended to detect exploitation attempts early. Implementing a web application firewall (WAF) with custom rules to detect and block suspicious requests targeting the create_bhf_post function can provide temporary protection. Site administrators should subscribe to vendor or security mailing lists to receive updates on patches and apply them promptly once available. Additionally, consider isolating or disabling the Boostify Header Footer Builder plugin if it is not essential, or replacing it with alternative plugins that have verified security. Regular backups and incident response plans should be in place to recover from potential content tampering.