The vulnerability identified as CVE-2024-6799 affects the YITH Essential Kit for WooCommerce #1 plugin for WordPress, specifically versions up to and including 2.34.0. The root cause is a missing authorization check (CWE-862) on the functions responsible for managing YITH plugins: 'activate_module', 'deactivate_module', and 'install_module'. These functions fail to verify whether the authenticated user has the necessary capabilities before allowing these actions. As a result, any authenticated user with at least Subscriber-level privileges can exploit this flaw to install, activate, or deactivate plugins from a predefined list of YITH plugins. This unauthorized modification of plugin states can lead to privilege escalation if malicious plugins are activated or security controls are bypassed. The vulnerability is remotely exploitable without user interaction, with a CVSS 3.1 base score of 4.3, reflecting low complexity and limited impact on confidentiality and availability but moderate impact on integrity. No patches are currently linked, and no known exploits have been observed in the wild. The vulnerability was publicly disclosed on July 19, 2024, by Wordfence.

The primary impact of CVE-2024-6799 is unauthorized modification of plugin states within WordPress sites using the affected YITH Essential Kit for WooCommerce #1 plugin. Attackers with low-level authenticated access (Subscriber or higher) can activate or deactivate plugins, potentially enabling malicious plugins or disabling security-related plugins. This can lead to privilege escalation, unauthorized access to sensitive data, or disruption of site functionality. Although the vulnerability does not directly expose confidential information or cause denial of service, the integrity of the WordPress environment is compromised, increasing the risk of further exploitation. E-commerce sites using WooCommerce and YITH plugins are particularly at risk, as attackers could manipulate payment or product modules. The lack of user interaction and ease of exploitation make this vulnerability a significant concern for organizations relying on these plugins for their online stores.

To mitigate CVE-2024-6799, organizations should immediately update the YITH Essential Kit for WooCommerce #1 plugin once an official patch is released. In the absence of a patch, administrators should restrict plugin management capabilities strictly to trusted roles by implementing custom capability checks or using role management plugins to limit Subscriber-level users from accessing plugin activation or installation functions. Additionally, monitoring and logging plugin state changes can help detect unauthorized modifications. Employing Web Application Firewalls (WAFs) with rules to detect unusual plugin management requests can provide an additional layer of defense. Regularly auditing user roles and permissions to ensure least privilege principles are enforced will reduce the attack surface. Finally, educating site administrators about this vulnerability and encouraging timely updates and backups will help maintain site integrity.