CVE-2024-5665 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin Login/Signup Popup (Inline Form + Woocommerce), specifically in versions 2.7.1 and 2.7.2. The flaw exists due to the absence of a proper capability check in the 'export_settings' function, which is responsible for exporting plugin settings. This missing authorization allows any authenticated user with at least Subscriber-level privileges to invoke this function and read arbitrary options from the affected WordPress site. Since WordPress Subscriber roles are commonly assigned to registered users with minimal permissions, this vulnerability significantly lowers the bar for exploitation. The attack vector is network-based and does not require user interaction, making it easier to exploit remotely. The vulnerability impacts confidentiality by exposing potentially sensitive configuration data but does not affect integrity or availability. The CVSS 3.1 base score is 4.3, indicating medium severity, with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. No public exploits are known at this time, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is used primarily on WordPress sites integrating WooCommerce, which are common in e-commerce environments.

The primary impact of CVE-2024-5665 is unauthorized disclosure of sensitive configuration data from affected WordPress sites. Attackers with Subscriber-level access can read arbitrary options, which may include API keys, payment gateway settings, or other sensitive plugin configurations. This exposure can facilitate further attacks such as privilege escalation, targeted phishing, or data theft. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach can undermine trust and compliance, especially for e-commerce sites handling customer data. Organizations relying on the affected plugin risk reputational damage and potential regulatory consequences if sensitive data is leaked. The ease of exploitation and the commonality of Subscriber roles increase the likelihood of exploitation in environments with many registered users. The lack of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits following public disclosure.

To mitigate CVE-2024-5665, organizations should immediately update the Login/Signup Popup (Inline Form + Woocommerce) plugin to a patched version once released by the vendor. In the absence of an official patch, administrators should restrict Subscriber-level user capabilities to minimize exposure, for example by limiting user registrations or reducing privileges where feasible. Implementing a Web Application Firewall (WAF) with rules to detect and block unauthorized access attempts to the 'export_settings' function can provide temporary protection. Regularly auditing user roles and permissions to ensure least privilege principles are enforced will reduce the attack surface. Monitoring logs for unusual access patterns related to plugin settings export functions can help detect exploitation attempts. Additionally, isolating critical configuration data and using environment variables or secure vaults instead of storing sensitive data in plugin options can limit the impact of such vulnerabilities.