CVE-2024-5637 is a vulnerability identified in the Market Exporter plugin for WordPress, developed by vanyukov, affecting all versions up to and including 2.0.19. The core issue is a missing authorization check (CWE-862) on the 'remove_files' function, which fails to verify whether the authenticated user has the necessary capabilities to perform file deletion operations. This allows any authenticated user with at least Subscriber-level access to exploit a path traversal vulnerability to delete arbitrary files on the hosting server. The vulnerability does not require elevated privileges beyond basic authentication, nor does it require user interaction, making it easier to exploit remotely. The attack vector is network-based, and the vulnerability impacts availability by enabling attackers to disrupt website functionality or delete critical files. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a significant threat. The CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a high severity due to the potential for denial of service through file deletion, with no impact on confidentiality or integrity directly. The vulnerability was published on June 7, 2024, and is tracked under CWE-862 (Missing Authorization).

The primary impact of CVE-2024-5637 is on the availability of affected WordPress sites using the Market Exporter plugin. Attackers with minimal privileges can delete arbitrary files, potentially leading to website downtime, loss of critical data, or corruption of the WordPress installation. This can disrupt business operations, especially for e-commerce or content-driven sites relying on this plugin for exporting market data. The lack of proper authorization checks means that even low-privilege users or compromised subscriber accounts can cause significant damage. While confidentiality and integrity are not directly affected, the deletion of files can indirectly lead to data loss and service interruptions, which may result in reputational damage and financial losses. Organizations may face increased recovery costs and operational delays. The vulnerability also increases the attack surface for further exploitation if critical system files are deleted, potentially enabling privilege escalation or further compromise.

To mitigate CVE-2024-5637, organizations should immediately update the Market Exporter plugin to a patched version once available from the vendor. In the absence of an official patch, administrators should restrict plugin usage to trusted users only, removing Subscriber-level or higher access from untrusted accounts. Implement strict user role management and audit existing user permissions to minimize exposure. Employ Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the 'remove_files' function or related plugin endpoints. Regularly back up website files and databases to enable rapid recovery in case of file deletion. Monitor server logs for suspicious activity indicative of exploitation attempts. Additionally, consider disabling or removing the Market Exporter plugin if it is not essential to reduce the attack surface. Finally, apply the principle of least privilege to all WordPress user roles and enforce strong authentication mechanisms to prevent account compromise.