CVE-2024-9067 is a missing authorization vulnerability (CWE-862) identified in the Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress. The vulnerability arises from the absence of a capability check within the delete_attachment function, which is responsible for handling attachment deletions. This flaw allows any authenticated user with at least Subscriber-level privileges to delete arbitrary attachments, bypassing intended permission restrictions. The vulnerability affects all versions of the plugin up to and including version 1.3.0. Exploitation requires authentication but no additional user interaction, and the attack vector is network-based. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low impact on confidentiality and availability but a direct impact on data integrity. Although no known exploits are currently reported in the wild, the vulnerability poses a risk to WordPress sites using Youzify for community and social networking features, potentially allowing attackers to disrupt user content or remove attachments maliciously. No official patches or updates have been linked yet, so mitigation currently relies on access control and monitoring.

The primary impact of CVE-2024-9067 is unauthorized modification of data integrity, specifically the deletion of attachments by users who should not have such privileges. This can lead to loss of user-generated content, disruption of community interactions, and potential reputational damage for organizations relying on Youzify for social networking or membership management. Although confidentiality and availability are not directly affected, the integrity compromise can undermine trust in the platform and cause operational issues. Since the vulnerability requires only Subscriber-level authentication, attackers can exploit compromised or low-privilege accounts to escalate damage. Organizations with large user bases or sensitive community content are at higher risk. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk of future exploitation. The vulnerability could be leveraged in targeted attacks against community platforms, especially those with weak user account controls or high user churn.

1. Immediately audit user roles and permissions within WordPress and Youzify to ensure that Subscriber-level users have minimal privileges and that no unnecessary elevated rights are granted. 2. Implement strict monitoring and logging of attachment deletion activities to detect suspicious behavior early. 3. Restrict user registration or enforce stronger authentication mechanisms to reduce the risk of attacker account creation. 4. Temporarily disable or restrict the delete_attachment functionality if feasible until an official patch is released. 5. Follow Youzify and WordPress security advisories closely for updates or patches addressing this vulnerability and apply them promptly. 6. Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block unauthorized delete_attachment requests. 7. Educate site administrators and moderators about the risk and encourage vigilance regarding unusual content deletions. 8. Regularly back up attachments and user content to enable recovery in case of malicious deletions.