CVE-2024-4858 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Testimonial Carousel For Elementor plugin for WordPress, versions up to and including 10.2.0. The issue stems from the absence of a capability check in the 'save_testimonials_option_callback' function, which is responsible for saving plugin options. This missing authorization allows unauthenticated attackers to invoke this function remotely and modify plugin settings without any privilege. The primary impact is the unauthorized update of the OpenAI API key configured within the plugin, which can effectively disable the plugin's OpenAI-dependent features. The vulnerability is exploitable over the network without requiring authentication or user interaction, making it relatively easy to exploit. However, the impact is limited to availability, as no confidentiality or integrity breaches are reported. The CVSS v3.1 base score is 5.3 (medium), reflecting the ease of exploitation but limited impact scope. No patches or exploits are currently publicly available, but the risk remains for sites using affected versions. The plugin is widely used among WordPress sites employing Elementor page builder, increasing the potential attack surface.

The vulnerability allows attackers to disrupt the functionality of the Testimonial Carousel For Elementor plugin by modifying its OpenAI API key, leading to denial of service of features relying on this key. While it does not expose sensitive data or allow code execution, the loss of plugin functionality can degrade user experience and site reliability. For organizations relying on this plugin for customer testimonials or AI-powered features, this disruption could affect brand reputation and user engagement. Additionally, unauthorized configuration changes may complicate incident response and recovery. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, affecting any publicly accessible WordPress site using the vulnerable plugin. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as automated scanning tools may detect vulnerable sites.

To mitigate this vulnerability, organizations should immediately update the Testimonial Carousel For Elementor plugin to a version that includes proper authorization checks once available. Until a patch is released, administrators can implement the following measures: restrict access to the WordPress admin-ajax.php endpoint via web application firewall (WAF) rules or server configurations to block unauthorized POST requests targeting the 'save_testimonials_option_callback' action; employ security plugins that monitor and block suspicious admin-ajax.php activity; limit plugin usage to trusted administrators only; regularly audit plugin configurations and API keys for unauthorized changes; and monitor web server logs for unusual requests to the plugin’s AJAX handlers. Additionally, consider disabling or removing the plugin if its functionality is non-critical, or replacing it with a more secure alternative. Maintaining up-to-date backups and having an incident response plan will also help recover quickly if exploitation occurs.