CVE-2024-7621 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress. The root cause is the absence of a capability check in the process_wpfeedback_misc_options() function, which handles plugin settings updates. This flaw allows any authenticated user with at least Subscriber-level privileges to modify the plugin's configuration settings without proper authorization. Since WordPress Subscriber roles are typically low-privilege, this vulnerability significantly lowers the barrier for attackers to manipulate plugin behavior or settings. The vulnerability affects all versions up to 4.0.2 inclusive. The CVSS v3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts confidentiality and integrity but not availability. Exploiting this vulnerability could enable attackers to alter plugin settings, potentially leading to further attacks such as privilege escalation or data exposure within the WordPress environment. No public exploits or patches are currently available, emphasizing the need for vigilance and proactive mitigation by site administrators.

The primary impact of CVE-2024-7621 is unauthorized modification of plugin settings by low-privilege authenticated users. This can undermine the integrity of the affected WordPress site by allowing attackers to change configurations that could weaken security controls or expose sensitive data. While the vulnerability does not directly affect availability, it compromises confidentiality and integrity, potentially enabling further exploitation such as privilege escalation or unauthorized data access. Organizations relying on the Atarim plugin for project management and collaboration may face risks including data leakage, unauthorized access to project information, or manipulation of feedback workflows. Given WordPress's widespread use globally, this vulnerability could affect a broad range of websites, especially those with multiple user roles and collaborative environments. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits targeting this flaw.

To mitigate CVE-2024-7621, organizations should: 1) Immediately restrict Subscriber-level user permissions to the minimum necessary, reviewing and tightening role capabilities to limit access to plugin settings. 2) Monitor and audit changes to the Atarim plugin settings to detect unauthorized modifications promptly. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the process_wpfeedback_misc_options() function or related plugin endpoints. 4) Isolate or sandbox environments where possible to limit the impact of compromised accounts. 5) Stay informed about official patches or updates from the plugin vendor and apply them promptly once available. 6) Consider temporarily disabling the Atarim plugin if it is not critical to operations until a fix is released. 7) Educate site administrators and users about the risks of low-privilege account misuse and enforce strong authentication policies to reduce the risk of account compromise.