CVE-2024-7626 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the WP Delicious – Recipe Plugin for Food Bloggers, a WordPress plugin used for managing recipe content. The vulnerability exists in the save_edit_profile_details() function, which fails to properly validate file paths supplied by authenticated users. This allows an attacker with subscriber-level privileges or higher to specify arbitrary file paths for moving files on the server. By exploiting this, an attacker can move sensitive files such as wp-config.php, which contains database credentials and other critical configuration data. Moving such files can lead to remote code execution (RCE) if the attacker replaces or relocates files in a way that the server executes malicious code. Additionally, the vulnerability allows reading arbitrary files, exposing sensitive information. The CVSS v3.1 base score is 8.1 (high), reflecting the network attack vector, low attack complexity, and the requirement for low privileges but no user interaction. The scope is unchanged, meaning the vulnerability affects the same security domain. No patches or fixes have been officially released at the time of this report, and no known exploits have been observed in the wild. The plugin is widely used among food bloggers and WordPress sites focused on recipe content, making affected installations potentially numerous.

The impact of CVE-2024-7626 is significant for organizations running WordPress sites with the vulnerable WP Delicious plugin. Attackers with minimal privileges can escalate their access by moving critical files, potentially leading to full server compromise through remote code execution. Confidentiality is at high risk due to the ability to read sensitive files like wp-config.php, which may contain database credentials and API keys. Integrity is also compromised as attackers can manipulate files, potentially injecting malicious code or disrupting site functionality. Although availability is not directly impacted, the resulting compromise could lead to site defacement or downtime. Organizations relying on this plugin for content management, especially those handling sensitive user data or business-critical operations, face increased risk of data breaches, unauthorized access, and reputational damage. The ease of exploitation combined with the low privilege requirement makes this vulnerability attractive to attackers targeting WordPress ecosystems.

To mitigate CVE-2024-7626, organizations should: 1) Immediately audit WordPress sites for the presence of the WP Delicious – Recipe Plugin and identify versions up to 1.6.9. 2) Disable or remove the plugin if an official patch is not yet available to prevent exploitation. 3) Monitor user roles and permissions carefully, restricting subscriber-level access where possible and reviewing user accounts for suspicious activity. 4) Implement Web Application Firewall (WAF) rules to detect and block suspicious file path manipulation attempts targeting the vulnerable function. 5) Harden file system permissions to prevent unauthorized file moves or modifications by the web server user. 6) Regularly back up WordPress sites and configuration files to enable recovery in case of compromise. 7) Stay alert for official patches or updates from the vendor and apply them promptly once released. 8) Conduct security scans and penetration tests focusing on file path traversal and arbitrary file manipulation vulnerabilities. These steps go beyond generic advice by focusing on immediate plugin removal, permission hardening, and proactive monitoring tailored to this specific vulnerability.