CVE-2024-6599 is a vulnerability identified in the Meks Video Importer plugin for WordPress, affecting all versions up to and including 1.0.11. The root cause is a missing authorization check (CWE-862) in the ajax_save_settings function, which is responsible for saving plugin settings via an AJAX request. This function does not verify whether the authenticated user has sufficient privileges to modify the plugin's API keys. As a result, any authenticated user with at least Subscriber-level access—which is a low-privilege role in WordPress—can exploit this flaw to change the API keys used by the plugin. This unauthorized modification can lead to integrity issues, such as redirecting video imports or altering plugin behavior in unintended ways. The vulnerability does not affect confidentiality or availability directly, and no user interaction is required beyond authentication. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the low complexity of exploitation but limited impact scope. No public exploits or patches are currently available, so mitigation relies on access control and monitoring. The vulnerability was published on July 18, 2024, and assigned by Wordfence.

The primary impact of CVE-2024-6599 is the unauthorized modification of API keys within the Meks Video Importer plugin, which can undermine the integrity of the plugin's operations. Attackers with Subscriber-level access can alter API keys, potentially redirecting video content sources or disrupting expected plugin functionality. While this does not directly expose sensitive data or cause denial of service, it can facilitate further attacks or misuse of the plugin's integration points. Organizations relying on this plugin for video content management may experience operational inconsistencies or unauthorized content manipulation. Since the vulnerability requires only low-level authenticated access, it increases the risk from compromised or malicious low-privilege accounts. The absence of known exploits limits immediate widespread impact, but the vulnerability could be leveraged in targeted attacks against WordPress sites using this plugin.

To mitigate CVE-2024-6599, organizations should: 1) Immediately restrict Subscriber-level and other low-privilege user roles from accessing or interacting with the Meks Video Importer plugin settings, ideally by customizing role capabilities or using access control plugins. 2) Monitor logs and audit trails for any unauthorized changes to plugin API keys or settings, focusing on actions performed by low-privilege accounts. 3) If possible, disable or remove the Meks Video Importer plugin until a vendor patch is released. 4) Engage with the plugin vendor or community to obtain or request a patch that properly enforces capability checks in ajax_save_settings. 5) Implement multi-factor authentication (MFA) for all WordPress accounts to reduce the risk of account compromise. 6) Regularly review and minimize the number of users with authenticated access, especially those with Subscriber or higher roles. 7) Consider network-level protections such as web application firewalls (WAFs) to detect and block suspicious AJAX requests targeting plugin settings endpoints.