CVE-2024-7390 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WP Testimonial Widget plugin for WordPress, maintained by starkinfo. The issue exists in the fnSaveTestimonailOrder function, which lacks proper capability checks to verify if the user has the necessary permissions to modify testimonial order data. This missing authorization allows unauthenticated attackers to remotely invoke this function and reorder testimonials arbitrarily. Since the vulnerability affects all versions up to and including 3.0, any site running these versions is at risk. The vulnerability does not expose sensitive data (no confidentiality impact) nor does it affect system availability. However, it compromises data integrity by allowing unauthorized changes to testimonial content order, which could be leveraged to manipulate site presentation or reputation. The CVSS v3.1 score is 5.3 (medium), reflecting the ease of exploitation (no privileges or user interaction required) but limited impact scope. No patches or known exploits have been reported at the time of publication, but the risk remains for sites that do not implement mitigations. The vulnerability is network exploitable and affects publicly accessible WordPress installations using the plugin.

The primary impact of CVE-2024-7390 is unauthorized modification of testimonial order on affected WordPress sites. While this does not directly compromise sensitive user data or site availability, it undermines the integrity of displayed content, potentially damaging the credibility and trustworthiness of the website. Attackers could reorder testimonials to promote fraudulent or misleading content, negatively influencing visitors’ perception. For organizations relying on testimonials as part of their marketing or reputation management, this could lead to reputational harm and loss of customer trust. Additionally, if combined with other vulnerabilities or social engineering, it could be part of a larger attack chain. Since the vulnerability requires no authentication and is remotely exploitable, it increases the attack surface for opportunistic attackers. However, the impact is limited to the testimonial widget and does not affect core WordPress functionality or other plugins.

1. Immediately update the WP Testimonial Widget plugin to a version that includes proper authorization checks once a patch is released by the vendor. 2. Until an official patch is available, restrict access to the WordPress admin AJAX endpoint or the specific fnSaveTestimonailOrder function by implementing web application firewall (WAF) rules that block unauthorized requests targeting this function. 3. Limit plugin usage to trusted administrators only and disable or remove the plugin if it is not essential. 4. Monitor web server and WordPress logs for suspicious POST requests attempting to invoke fnSaveTestimonailOrder without authentication. 5. Employ principle of least privilege on WordPress user roles to minimize potential damage from compromised accounts. 6. Regularly audit and verify testimonial content integrity to detect unauthorized changes promptly. 7. Consider implementing additional security plugins that enforce capability checks or harden AJAX endpoints. 8. Educate site administrators about the risk and encourage prompt patching and monitoring.