CVE-2024-8102 is a vulnerability classified under CWE-862 (Missing Authorization) found in The Ultimate WordPress Toolkit – WP Extended plugin for WordPress, affecting all versions up to and including 3.0.8. The root cause is the absence of a capability check in the module_all_toggle_ajax() function, which is responsible for toggling certain plugin settings via AJAX requests. This missing authorization allows any authenticated user with at least Subscriber-level privileges to update arbitrary WordPress options. Attackers can exploit this to modify critical site settings, such as changing the default role assigned to new users to 'administrator' and enabling user registration. This effectively allows an attacker to create new admin accounts and gain full control over the WordPress installation. The vulnerability requires no user interaction beyond authentication, and the attack can be performed remotely over the network. The CVSS v3.1 base score is 8.8 (High), reflecting the network attack vector, low attack complexity, privileges required at a low level, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or official fixes have been linked yet, and no known exploits have been reported in the wild. However, the vulnerability poses a severe risk to sites using this plugin, especially those allowing Subscriber-level users or higher to authenticate.

The impact of CVE-2024-8102 is severe for organizations running WordPress sites with the vulnerable WP Extended plugin. Successful exploitation leads to complete site compromise by enabling attackers to escalate privileges from low-level authenticated users to administrators. This can result in unauthorized data access, modification, deletion, and the installation of backdoors or malware. The attacker can manipulate site configurations, create new admin accounts, and potentially pivot to other systems within the organization's infrastructure. For e-commerce, financial, or data-sensitive websites, this could lead to data breaches, financial fraud, reputational damage, and regulatory non-compliance. Since WordPress powers a significant portion of the web, the scope of affected systems is broad, and the vulnerability can be exploited remotely without user interaction, increasing the risk of widespread exploitation if left unmitigated.

Organizations should immediately audit their WordPress installations to identify the presence of The Ultimate WordPress Toolkit – WP Extended plugin, especially versions up to 3.0.8. Until an official patch is released, administrators should restrict or disable user registration and limit Subscriber-level access where possible. Implementing Web Application Firewall (WAF) rules to block unauthorized AJAX requests targeting the module_all_toggle_ajax() endpoint can reduce exposure. Monitoring logs for suspicious option update activities or unexpected changes to default user roles is critical. Additionally, enforcing strong authentication and multi-factor authentication (MFA) for all users with elevated privileges can mitigate the risk of account compromise. Organizations should subscribe to vendor advisories and apply patches promptly once available. Regular backups and incident response plans should be reviewed to prepare for potential exploitation scenarios.