CVE-2024-5677 is a vulnerability identified in the Featured Image Generator plugin for WordPress, developed by aumkub. The issue stems from a missing authorization check in the function fig_save_after_generate_image, which is responsible for handling image uploads after generation. This missing capability check allows any authenticated user with at least Subscriber-level privileges to upload arbitrary images to galleries associated with posts. Since Subscriber roles typically have minimal permissions, this vulnerability effectively escalates their ability to modify post-related media content without proper authorization. The vulnerability affects all versions up to and including 1.3.1 of the plugin. The CVSS 3.1 base score is 4.3 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (authenticated user), no user interaction, and impacting integrity only. The flaw does not affect confidentiality or availability, and no known exploits have been reported in the wild to date. The vulnerability is classified under CWE-862 (Missing Authorization). The absence of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for caution and mitigation by administrators.

The primary impact of CVE-2024-5677 is on data integrity within WordPress sites using the affected plugin. Attackers with Subscriber-level access can upload arbitrary images to post galleries, potentially leading to unauthorized content injection. This could be leveraged for defacement, distribution of malicious images, or embedding links to phishing or malware sites, indirectly impacting site reputation and user trust. Although the vulnerability does not directly compromise confidentiality or availability, the unauthorized content upload could facilitate further attacks such as social engineering or malware delivery. Organizations with large WordPress deployments or user bases that allow Subscriber-level accounts are at risk of exploitation. The impact is somewhat limited by the requirement for authenticated access, but given the widespread use of WordPress and the plugin, the vulnerability poses a moderate risk globally.

To mitigate CVE-2024-5677, organizations should first verify if they use the Featured Image Generator plugin and identify the version in use. Until an official patch is released, administrators should consider the following steps: 1) Restrict Subscriber-level accounts from uploading media by adjusting WordPress capabilities or using role management plugins to remove upload permissions from low-privilege users; 2) Monitor media libraries and post galleries for unauthorized or suspicious images; 3) Implement web application firewalls (WAFs) with custom rules to detect and block unauthorized image upload attempts targeting the vulnerable function; 4) Limit plugin usage to trusted users only and consider disabling or removing the plugin if not essential; 5) Stay updated with vendor announcements for patches and apply them promptly once available; 6) Conduct regular audits of user roles and permissions to ensure minimal privilege principles are enforced; 7) Employ content security policies (CSP) and malware scanning on uploaded media to detect and prevent malicious content distribution.