CVE-2024-6491 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Getwid – Gutenberg Blocks plugin for WordPress, developed by jetmonsters. The issue arises from the absence of a capability check in the mailchimp_api_key_manage function, which is responsible for managing the MailChimp API key within the plugin. This flaw allows any authenticated user with at least Contributor-level privileges to set or modify the MailChimp API key without proper authorization. Since Contributors typically have limited permissions focused on content creation and editing, this escalation of privilege to modify plugin settings represents a significant authorization bypass. The vulnerability affects all versions up to and including 2.0.10. The CVSS v3.1 base score is 4.3, reflecting a medium severity with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality or availability impact, but integrity impact present. Exploitation could allow attackers to manipulate the MailChimp API key, potentially redirecting or intercepting marketing data or causing disruption in email campaign management. No patches or exploits are currently reported, but the vulnerability's presence in a widely used WordPress plugin underscores the need for prompt mitigation.

The primary impact of this vulnerability is the unauthorized modification of the MailChimp API key by users with Contributor-level access or higher. This can lead to integrity issues where attackers or unauthorized users could replace the legitimate API key with one controlled by them, potentially redirecting email marketing data, harvesting subscriber information, or disrupting email campaigns. While the vulnerability does not directly compromise confidentiality or availability, the manipulation of API keys can indirectly lead to data leakage or loss of trust in marketing communications. Organizations relying on the Getwid plugin for their WordPress sites, especially those integrating MailChimp for customer engagement, may face reputational damage and operational disruptions. Since Contributors are common roles in many WordPress sites, the attack surface is broad, increasing the likelihood of exploitation in environments where access controls are not strictly enforced.

To mitigate this vulnerability, organizations should immediately restrict Contributor-level user capabilities to prevent unauthorized access to plugin settings. Implement role-based access control (RBAC) policies that limit the ability to modify plugin configurations to trusted administrators only. Monitor and audit changes to the MailChimp API key within the WordPress admin dashboard to detect unauthorized modifications. If possible, temporarily disable the Getwid plugin's MailChimp integration until a patch or update is released. Regularly update the Getwid plugin to the latest version once a fix is available. Additionally, consider implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the mailchimp_api_key_manage function. Educate site administrators and contributors about the risks of privilege misuse and enforce strong authentication mechanisms to reduce the risk of compromised accounts.