CVE-2024-6489 identifies a missing authorization vulnerability (CWE-862) in the Getwid – Gutenberg Blocks plugin for WordPress, specifically affecting all versions up to and including 2.0.10. The vulnerability arises from the get_google_api_key function, which lacks a proper capability check, allowing authenticated users with Contributor-level permissions or higher to modify the MailChimp API key stored by the plugin. This missing authorization means that users who normally should not have permission to alter API keys can do so, potentially leading to unauthorized changes in the plugin's integration with MailChimp services. The vulnerability does not require elevated privileges beyond Contributor, nor does it require user interaction, making it relatively easy to exploit within environments where such user roles exist. The CVSS v3.1 score is 5.3 (medium), reflecting that the attack vector is network-based, with low attack complexity, no privileges required beyond Contributor, no user interaction, and limited impact on integrity only. There is no impact on confidentiality or availability. No patches were linked at the time of publication, and no known exploits in the wild have been reported. The vulnerability could be leveraged to alter API keys, potentially enabling unauthorized access or manipulation of MailChimp integrations, which could affect marketing campaigns or data flows reliant on these keys.

The primary impact of CVE-2024-6489 is unauthorized modification of the MailChimp API key within the affected WordPress plugin. This compromises the integrity of the plugin's configuration and could lead to misuse of MailChimp services, such as unauthorized email campaigns, data exfiltration, or disruption of marketing workflows. While the vulnerability does not directly expose sensitive data or cause denial of service, the ability to alter API keys can indirectly lead to reputational damage, loss of customer trust, and potential compliance issues if unauthorized communications occur. Organizations with Contributor-level users or higher on WordPress sites using this plugin are at risk. Attackers could exploit this vulnerability to escalate their influence within the marketing infrastructure or pivot to other attacks leveraging compromised API credentials. The scope is limited to environments where the plugin is installed and Contributor or higher roles exist, but given WordPress's widespread use, the potential impact is significant for affected sites.

To mitigate CVE-2024-6489, organizations should immediately update the Getwid – Gutenberg Blocks plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level permissions and above to trusted users only, minimizing the risk of exploitation. Implementing strict role-based access controls and auditing user roles regularly can reduce exposure. Additionally, monitoring and rotating MailChimp API keys periodically will limit the window of opportunity for misuse. Site administrators can also consider temporarily disabling the plugin or removing Contributor-level user capabilities until a fix is applied. Reviewing and hardening WordPress security configurations, including limiting plugin installations and enforcing the principle of least privilege, will further reduce risk. Finally, monitoring logs for unusual changes to API keys or plugin settings can help detect exploitation attempts early.