CVE-2024-50459 identifies a missing authorization vulnerability within the AidWP WordPress plugin developed by Hossni Mubarak, specifically in the wp-stripe-donation module. The vulnerability arises from improperly configured access control security levels, allowing unauthorized users to perform actions that should be restricted. AidWP versions up to 3.2.3 are affected, with no patch currently available as of the publication date. The flaw means that certain donation-related functionalities can be accessed or manipulated without proper permission checks, potentially leading to unauthorized data access or fraudulent transactions. Since this is a WordPress plugin, the vulnerability impacts websites using AidWP for Stripe-based donation processing. The vulnerability does not require authentication or user interaction, making it easier for attackers to exploit remotely. No known exploits have been reported in the wild yet, but the risk remains significant due to the nature of the missing authorization. The lack of a CVSS score necessitates a severity assessment based on the impact on confidentiality, integrity, and availability, ease of exploitation, and scope of affected systems.

The missing authorization vulnerability in AidWP can have serious consequences for organizations relying on this plugin for donation processing. Unauthorized actors could potentially access or manipulate donation data, interfere with payment processing, or perform administrative actions without permission. This could lead to financial fraud, data breaches involving donor information, and reputational damage for affected organizations. Nonprofits and charities using AidWP may face disruption in their fundraising activities, loss of donor trust, and potential legal liabilities related to data protection regulations. Since the vulnerability does not require authentication, it broadens the attack surface to any internet user, increasing the likelihood of exploitation. The overall impact includes compromised confidentiality and integrity of donation data and potential availability issues if the plugin’s functionality is disrupted.

Organizations should monitor the AidWP plugin vendor for official patches addressing CVE-2024-50459 and apply updates promptly once available. Until a patch is released, administrators should consider disabling the wp-stripe-donation functionality if feasible or restricting access to the plugin’s administrative interfaces via web application firewalls or IP whitelisting. Conduct a thorough review of access control configurations within the WordPress environment to ensure no excessive permissions are granted. Implement monitoring and logging for unusual activities related to donation processing to detect potential exploitation attempts. Additionally, consider isolating donation processing components from other critical systems to limit the blast radius of any compromise. Educate site administrators about the risks and encourage regular security audits of plugins and their configurations.