CVE-2024-7424 is an improper access control vulnerability (CWE-284) found in the Multiple Page Generator Plugin (MPG) developed by themeisle for WordPress. The issue exists in all versions up to and including 4.0.1 due to missing capability checks on several functions that are intended exclusively for administrative users. This flaw allows authenticated users with minimal privileges—specifically Subscriber-level access or higher—to invoke administrative functions improperly. As a result, these lower-privileged users can upload CSV files and view the contents of MPG projects, which should normally be restricted to administrators. The vulnerability compromises the confidentiality and integrity of data managed by the plugin but does not impact system availability. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, and requiring privileges but no user interaction. No patches or known exploits have been reported at the time of publication. The vulnerability stems from insufficient authorization checks within the plugin’s code, allowing privilege escalation within the WordPress environment. Since WordPress powers a significant portion of websites globally, and the MPG plugin is used to automate page generation, this vulnerability could expose sensitive project data and enable unauthorized content manipulation if exploited.

The vulnerability allows authenticated users with Subscriber-level access to escalate their privileges within the WordPress environment by accessing administrative functions of the MPG plugin. This can lead to unauthorized disclosure of project data and unauthorized modification through CSV uploads. For organizations, this means potential leakage of sensitive content, exposure of internal project structures, and unauthorized content injection or alteration. While it does not directly affect system availability or cause denial of service, the breach of confidentiality and integrity can undermine trust, lead to data compliance violations, and facilitate further attacks leveraging the exposed data. Since WordPress sites often serve as public-facing portals or content management systems, exploitation could also damage brand reputation and user trust. The medium severity rating reflects that exploitation requires valid authentication but no additional user interaction, making it moderately accessible to attackers who can register or compromise low-level accounts.

Organizations should immediately verify if their WordPress installations use the themeisle Multiple Page Generator Plugin and determine the plugin version. Since no official patch links are provided yet, administrators should consider temporarily disabling the plugin or restricting access to authenticated users with Subscriber-level privileges or higher until a patch is available. Implement strict role-based access controls to limit Subscriber accounts and monitor for unusual CSV upload activity or access to MPG project data. Employ Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized attempts to invoke administrative functions of the plugin. Regularly audit user accounts to remove or downgrade unnecessary Subscriber-level users. Stay updated with themeisle and WordPress security advisories for patches or updates addressing this vulnerability. Additionally, consider isolating critical WordPress instances and backing up project data to enable rapid recovery if exploitation occurs.