CVE-2024-6000 is an improper authorization vulnerability classified under CWE-285 found in the FooEvents for WooCommerce plugin for WordPress. The issue arises from an incorrect capability check in the 'display_ticket_themes_page' function, which governs access to certain plugin features. Specifically, users with contributor-level privileges or higher can bypass intended restrictions and upload arbitrary files to the server. This unauthorized file upload can be leveraged to execute remote code, potentially compromising the entire web server hosting the WordPress instance. The vulnerability affects all versions up to and including 1.19.20. Version 1.19.20 introduced a partial fix, but only version 1.19.21 fully addresses the issue. The CVSS 3.1 base score is 7.1, reflecting a high severity due to the network attack vector, low attack complexity, requirement for low privileges, and user interaction. The vulnerability impacts confidentiality, integrity, and availability, as attackers can execute malicious code, steal data, or disrupt services. No public exploits have been reported yet, but the presence of authenticated users with contributor or higher roles is sufficient for exploitation. The plugin is widely used in WooCommerce-based e-commerce sites, making this a significant risk for online retailers using WordPress.

The impact of CVE-2024-6000 is substantial for organizations running WooCommerce stores with the FooEvents plugin. Successful exploitation allows attackers with relatively low privileges to upload arbitrary files, which can lead to remote code execution. This can result in full site compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Confidential customer data, including payment and personal information, could be exposed or manipulated. The availability of the e-commerce platform can be disrupted, causing financial loss and reputational damage. Since contributor-level users are often legitimate content creators or staff, the risk of insider threats or compromised accounts increases the attack surface. Organizations with large user bases or multiple contributors are particularly vulnerable. The lack of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and high impact make timely remediation critical.

To mitigate this vulnerability, organizations should immediately upgrade the FooEvents for WooCommerce plugin to version 1.19.21 or later, where the issue is fully patched. Until the upgrade is applied, restrict contributor-level and higher user roles from accessing the affected functionality by applying custom capability restrictions or temporarily disabling the plugin if feasible. Conduct a thorough audit of user roles and permissions to ensure that only trusted users have contributor or higher privileges. Implement web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting the plugin endpoints. Monitor server logs for unusual file uploads or execution attempts. Additionally, enforce strong authentication and consider multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of compromised accounts. Regularly back up website data and test restoration procedures to minimize downtime in case of compromise.