CVE-2024-6624 is a critical security vulnerability identified in the parorrey JSON API User plugin for WordPress, affecting all versions up to and including 3.9.3. The root cause is improper privilege management (CWE-269) related to custom user meta fields, which allows unauthenticated attackers to escalate privileges by registering themselves as administrators. This vulnerability requires the presence of the JSON API plugin, which the JSON API User plugin depends on. The flaw arises because the plugin fails to properly validate or restrict modifications to user meta fields during registration or API interactions, enabling attackers to manipulate privilege levels. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical nature with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploiting this vulnerability would allow attackers to gain full administrative control over the WordPress site, potentially leading to complete site compromise, data theft, defacement, or use as a launchpad for further attacks. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a prime target for attackers once exploit code becomes available. The plugin is widely used in WordPress environments that require JSON API user management, making the scope of affected systems significant. The vulnerability was publicly disclosed on July 11, 2024, and no official patches have been linked yet, increasing the urgency for mitigation.

The impact of CVE-2024-6624 is severe for organizations worldwide using the parorrey JSON API User plugin in conjunction with the JSON API plugin. Successful exploitation results in unauthenticated attackers gaining administrator privileges, effectively allowing full control over the WordPress site. This can lead to unauthorized data access, modification, deletion, site defacement, installation of backdoors or malware, and use of the compromised site to launch attacks on other systems. The vulnerability threatens the confidentiality, integrity, and availability of affected websites. Organizations relying on these plugins for user management or API functionality face significant risk of operational disruption and reputational damage. Given WordPress's widespread use globally, especially among small to medium businesses, blogs, and e-commerce sites, the potential attack surface is large. The ease of exploitation without authentication or user interaction further exacerbates the risk, making rapid exploitation likely once public exploit code emerges. The lack of patches at disclosure time increases exposure, and organizations delaying mitigation may suffer severe consequences including data breaches and compliance violations.

To mitigate CVE-2024-6624, organizations should take immediate and specific actions beyond generic advice: 1) Disable the parorrey JSON API User plugin until a security patch is released, especially if the JSON API plugin is also installed. 2) Restrict access to the JSON API endpoints via web application firewall (WAF) rules or server-level access controls to limit exposure to unauthenticated requests. 3) Monitor WordPress user accounts for any unauthorized administrator account creations or privilege escalations, and audit logs for suspicious API activity. 4) If disabling the plugin is not feasible, implement custom code or filters to validate and restrict user meta field modifications during registration or API calls. 5) Keep WordPress core and all plugins updated, and subscribe to vendor or security mailing lists for patch announcements. 6) Employ multi-factor authentication (MFA) for all administrator accounts to reduce impact if an attacker gains access. 7) Conduct regular backups and have an incident response plan ready to recover from potential compromises. These targeted steps help reduce attack surface and detect exploitation attempts while awaiting official patches.