CVE-2024-7721 is a vulnerability classified under CWE-862 (Missing Authorization) found in the HTML5 Video Player – mp4 Video Player Plugin and Block for WordPress. The flaw exists because the 'save_password' function lacks a proper capability check, allowing authenticated users with minimal privileges (Subscriber-level or higher) to modify plugin options arbitrarily. This includes the ability to set any options not explicitly protected by a false check to an array, such as enabling user registration on the WordPress site, which could otherwise be disabled by administrators. The vulnerability affects all plugin versions up to and including 2.5.34. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity but not confidentiality or availability. Although no known exploits have been reported in the wild, the vulnerability poses a risk of unauthorized configuration changes that could facilitate further attacks or compromise site management. The plugin is widely used in WordPress environments, making this a relevant concern for many websites relying on it for video playback functionality.

The primary impact of CVE-2024-7721 is the unauthorized modification of plugin settings by low-privileged authenticated users. This can lead to changes such as enabling user registration on a WordPress site, which may have been intentionally disabled to prevent unauthorized account creation. Such changes can increase the attack surface by allowing attackers or malicious users to create accounts, potentially leading to privilege escalation or further exploitation. While the vulnerability does not directly expose sensitive data or cause service disruption, the integrity of site configuration is compromised, which can indirectly affect security posture. Organizations running affected versions of the plugin risk unauthorized administrative changes that could facilitate spam, unauthorized access, or other malicious activities. The vulnerability is particularly impactful in environments where subscriber-level accounts are widely distributed or where user registration policies are critical to security.

To mitigate CVE-2024-7721, organizations should immediately update the HTML5 Video Player – mp4 Video Player Plugin and Block to a patched version once available. In the absence of a patch, administrators should restrict Subscriber-level access or lower privileges from users who do not require it, minimizing the number of accounts that can exploit this vulnerability. Additionally, implement strict role-based access controls and monitor changes to plugin settings for unauthorized modifications. Consider disabling user registration temporarily if it is not needed or enforce additional verification mechanisms for new accounts. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the plugin’s configuration endpoints. Regular audits of WordPress user roles and plugin configurations will help detect exploitation attempts early. Finally, maintain comprehensive logging and alerting on configuration changes to enable rapid incident response.