CVE-2024-5674 is a vulnerability classified under CWE-862 (Missing Authorization) found in The Newsletter Team's Newsletter - API v1 and v2 addon plugin for WordPress. The root cause is a PHP type juggling issue within the check_api_key function, which improperly validates API keys due to weak type comparisons. This flaw allows unauthenticated remote attackers to bypass authorization checks and perform subscriber management operations such as listing, creating, or deleting newsletter subscribers. The vulnerability affects all versions of the plugin up to and including 2.4.5 but only on systems running PHP versions below 8.0, as PHP 8.0 and above have stricter type handling that mitigates this issue. The attack vector is network-based with no privileges or user interaction required, making exploitation relatively straightforward. The impact primarily compromises confidentiality and integrity of subscriber data but does not affect availability. No public exploits have been reported yet, but the vulnerability is rated with a CVSS 3.1 base score of 6.5 (medium severity), reflecting its moderate risk. Organizations using this plugin should monitor for patches and consider upgrading PHP to version 8.0 or higher to mitigate the vulnerability.

The vulnerability allows unauthorized attackers to access and manipulate newsletter subscriber data without authentication, leading to potential data leakage, subscriber list tampering, and disruption of newsletter communications. Confidential subscriber information could be exposed or altered, undermining trust and potentially violating privacy regulations such as GDPR. Integrity of subscriber lists can be compromised by unauthorized additions or deletions, which may affect marketing campaigns and customer engagement. Although availability is not directly impacted, the unauthorized control over subscriber data could indirectly disrupt business operations reliant on accurate mailing lists. Organizations with large subscriber bases or those in regulated industries face heightened risks. The ease of exploitation and network accessibility increase the likelihood of attacks, especially on sites running outdated PHP versions. This could lead to reputational damage, legal consequences, and financial losses if exploited at scale.

To mitigate this vulnerability, organizations should immediately verify the PHP version running on their WordPress servers and upgrade to PHP 8.0 or later, as this resolves the underlying type juggling issue. If upgrading PHP is not immediately feasible, administrators should disable or restrict access to the Newsletter - API v1 and v2 addon until a vendor patch is released. Monitoring and logging API access attempts can help detect suspicious activity related to subscriber management. Applying web application firewall (WAF) rules to block unauthorized API requests targeting the newsletter endpoints can provide temporary protection. Organizations should also ensure that the Newsletter plugin and its addons are kept up to date with the latest security patches once available. Conducting regular security audits and penetration testing focused on API authorization controls will help identify similar weaknesses. Finally, limiting API exposure to trusted IP addresses or VPNs can reduce the attack surface.