The Tainacan plugin for WordPress, developed by leogermani, suffers from a missing authorization check vulnerability identified as CVE-2024-7135. This vulnerability is classified under CWE-862 (Missing Authorization) and affects all versions up to and including 0.21.7. The root cause is the absence of a capability check in the 'get_file' function, which is responsible for serving files to authenticated users. Because of this, any user with at least Subscriber-level privileges can invoke this function to read arbitrary files on the server. Additionally, the function is vulnerable to directory traversal attacks, allowing attackers to navigate outside the intended directories and access sensitive files such as configuration files, credentials, or other private data. The vulnerability has a CVSS 3.1 base score of 6.5, indicating medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (authenticated users), no user interaction, and impacting confidentiality only. The scope remains unchanged as the vulnerability affects only the vulnerable component. No patches or official fixes have been linked yet, and no known exploits have been reported in the wild. This vulnerability poses a significant risk to the confidentiality of data stored on servers running vulnerable versions of Tainacan, especially in environments where users with Subscriber-level access are present.

The primary impact of CVE-2024-7135 is unauthorized disclosure of sensitive information stored on the server hosting the vulnerable Tainacan plugin. Attackers with minimal privileges (Subscriber-level) can exploit this flaw to read arbitrary files, potentially exposing database credentials, API keys, personal user data, or other confidential information. This can lead to further attacks such as privilege escalation, lateral movement within the network, or targeted data theft. Organizations relying on Tainacan for digital repository management or content curation may face data breaches, loss of intellectual property, or regulatory compliance violations. Since the vulnerability does not affect integrity or availability, the threat is confined to confidentiality breaches. However, the ease of exploitation by low-privilege authenticated users increases the risk, especially in environments with many registered users or weak user management policies.

To mitigate CVE-2024-7135, organizations should immediately upgrade the Tainacan plugin to a version that includes the authorization fix once it is released. Until a patch is available, administrators should restrict Subscriber-level access and review user roles to minimize the number of users with such privileges. Implementing web application firewall (WAF) rules to detect and block directory traversal patterns targeting the 'get_file' function can provide temporary protection. Additionally, server-side file permissions should be hardened to limit the exposure of sensitive files to the web server user. Regularly auditing plugin usage and monitoring logs for suspicious file access attempts can help detect exploitation attempts early. Finally, consider isolating the WordPress environment and sensitive data storage to reduce the blast radius of a potential breach.