CVE-2024-6500 is a critical missing authorization vulnerability (CWE-862) found in the inspirelabs InPost PL and InPost for WooCommerce plugins for WordPress. The vulnerability exists in the 'parse_request' function, which lacks proper capability checks, allowing unauthenticated attackers to perform unauthorized actions. Specifically, attackers can read arbitrary files on both Windows and Linux servers and delete files arbitrarily on Windows servers. On Linux, deletion is restricted to files within the WordPress installation directory, but reading is unrestricted across the system. The vulnerability affects all versions up to 1.4.0 for InPost for WooCommerce and up to 1.4.4 for InPost PL. The CVSS 3.1 base score is 10.0, reflecting the vulnerability's ease of exploitation (network vector, no privileges required, no user interaction), high impact on confidentiality and availability, and scope change due to the potential to affect the entire system. The vulnerability was publicly disclosed in August 2024, with no patches currently available. The lack of authorization checks in a core request parsing function makes this a severe threat to WordPress sites using these plugins, potentially allowing attackers to compromise site data, disrupt services, and exfiltrate sensitive information.

The impact of CVE-2024-6500 is severe for organizations using the affected WordPress plugins. Attackers can read sensitive configuration files, source code, and other data, leading to confidentiality breaches. On Windows servers, the ability to delete arbitrary files can cause significant data loss, service disruption, and potential site defacement or downtime. On Linux servers, while deletion is limited to the WordPress directory, this still allows attackers to erase critical website files, causing availability issues and potential loss of business continuity. The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk of widespread automated attacks. Organizations relying on these plugins for e-commerce or logistics services may face operational disruptions, reputational damage, and regulatory compliance issues due to data exposure or loss. The broad scope of affected systems and the critical nature of the flaw make it a high-priority threat globally.

1. Immediate action should be to disable the affected plugins (InPost for WooCommerce and InPost PL) until a security patch is released by inspirelabs. 2. Monitor official vendor channels and WordPress plugin repositories for updates or patches addressing CVE-2024-6500 and apply them promptly. 3. Implement web application firewalls (WAF) with custom rules to block unauthorized access attempts targeting the 'parse_request' function or suspicious HTTP requests related to these plugins. 4. Restrict file system permissions on the server to limit the ability of the web server process to delete or read sensitive files outside necessary directories, especially on Windows servers. 5. Conduct regular backups of website files and databases to enable rapid recovery in case of file deletion or data loss. 6. Audit server logs for unusual access patterns or file deletion events to detect potential exploitation attempts early. 7. Consider isolating WordPress installations in containerized or sandboxed environments to reduce the blast radius of potential attacks. 8. Educate site administrators about the risks of using outdated plugins and the importance of timely updates and security best practices.