CVE-2024-8292 is a critical authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the WP-Recall – Registration, Profile, Commerce & More plugin for WordPress. The flaw exists in all versions up to and including 16.26.8 and arises because the plugin fails to properly verify the identity of users during the creation of new orders when the commerce addon is enabled. Specifically, an unauthenticated attacker can submit a crafted request containing any arbitrary email address in the user_email field during order creation. Due to insufficient authorization checks, the attacker can reset the password for the targeted user account associated with that email, effectively taking over the account without needing prior authentication or user interaction. This vulnerability impacts the confidentiality, integrity, and availability of user accounts and site data. The CVSS v3.1 base score is 9.8, reflecting network exploitable, low attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with active commerce addons. The lack of a patch at the time of disclosure increases urgency for mitigation. The vulnerability is assigned by Wordfence and was published on September 6, 2024.

The vulnerability allows unauthenticated attackers to take over any user account by resetting passwords arbitrarily, leading to full account compromise. This can result in unauthorized access to sensitive user data, manipulation of user profiles, fraudulent transactions, and potential site-wide administrative control if admin accounts are targeted. The integrity of the site is compromised as attackers can alter user data and commerce orders. Availability may also be affected if attackers disrupt commerce operations or lock out legitimate users. Organizations relying on WP-Recall for registration and commerce functionalities face risks of data breaches, financial fraud, reputational damage, and regulatory non-compliance. The ease of exploitation and lack of authentication requirements make this a highly critical threat, especially for e-commerce sites and membership platforms. The absence of known exploits currently provides a window for proactive defense, but the vulnerability is likely to be targeted soon given its severity.

1. Immediately disable the commerce addon of the WP-Recall plugin if it is not essential, to block the attack vector. 2. Monitor web server and application logs for suspicious new order creation requests, especially those with unusual or repeated user_email values. 3. Implement Web Application Firewall (WAF) rules to detect and block unauthorized attempts to create orders or reset passwords via the plugin endpoints. 4. Restrict access to order creation endpoints to authenticated users only, if feasible, through custom code or access control plugins. 5. Regularly audit user accounts for unauthorized password changes or suspicious activity. 6. Follow the WP-Recall vendor announcements closely and apply security patches immediately once released. 7. Consider alternative plugins with better security track records if patching is delayed. 8. Educate site administrators on the risks and encourage strong password policies and multi-factor authentication to reduce impact of compromised accounts. 9. Backup site data frequently to enable recovery in case of compromise. 10. Engage professional security services for penetration testing and incident response preparedness.