CVE-2024-5856 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Comment Images Reloaded WordPress plugin developed by wppuzzle. The issue exists in all versions up to and including 2.2.1 due to the absence of a proper capability check on the cir_delete_image AJAX action. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this AJAX endpoint and delete arbitrary media attachments from the WordPress media library. Since Subscriber-level access is commonly granted to registered users with minimal privileges, this vulnerability significantly lowers the barrier for exploitation. The attack vector is network-based and does not require user interaction, making it easier to exploit once an attacker has valid credentials. The vulnerability impacts availability by enabling unauthorized deletion of media files, which could disrupt website content and user experience. The CVSS v3.1 base score is 4.3 (medium), reflecting the limited scope of impact (no confidentiality or integrity loss) but ease of exploitation and potential disruption. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in June 2024 and published in July 2024 by Wordfence.

The primary impact of CVE-2024-5856 is the unauthorized deletion of media attachments, which can lead to partial denial of service by removing images or other media critical to website content. This can degrade user experience, damage brand reputation, and require time-consuming recovery efforts. Although the vulnerability does not expose sensitive data or allow modification of content beyond deletion, the loss of media files can disrupt marketing materials, product images, or user-generated content. Organizations relying on the Comment Images Reloaded plugin, especially those with many registered users or community contributors, face increased risk since attackers only need Subscriber-level access. This could be exploited in multi-user environments such as membership sites, forums, or blogs. The lack of known exploits suggests limited active targeting so far, but the low complexity and no user interaction needed make it a candidate for future exploitation. The impact is mostly on availability and operational continuity rather than confidentiality or integrity.

To mitigate CVE-2024-5856, organizations should first check for any official patches or updates from the plugin vendor and apply them promptly once available. In the absence of an official fix, administrators can implement custom capability checks by modifying the plugin code to ensure that only users with appropriate roles (e.g., Editor or Administrator) can invoke the cir_delete_image AJAX action. Restricting access to this AJAX endpoint via web application firewall (WAF) rules or server-level access controls can also reduce risk. Additionally, monitoring logs for suspicious AJAX requests related to media deletion can help detect exploitation attempts early. Regular backups of media files and the WordPress database are critical to enable quick recovery if unauthorized deletions occur. Limiting Subscriber-level user registrations or employing stricter user verification processes can reduce the pool of potential attackers. Finally, organizations should consider alternative plugins with better security track records if timely patching is not feasible.