The vulnerability identified as CVE-2024-9361 affects all versions up to and including 2.0.1 of the 'Bulk images optimizer: Resize, optimize, convert to webp, rename …' WordPress plugin developed by giuliopanda. The root cause is a missing authorization check (CWE-862) in the 'save_configuration' function, which is responsible for saving plugin settings. This missing capability check allows any authenticated user with at least Subscriber-level privileges to modify the plugin's configuration options without proper authorization. Since WordPress Subscriber roles typically have very limited permissions, this vulnerability significantly lowers the bar for exploitation compared to vulnerabilities requiring Administrator access. The impact is limited to integrity, as attackers can alter plugin settings, potentially disrupting image optimization workflows or enabling further attacks through manipulated plugin behavior. The vulnerability does not affect confidentiality or availability directly. The CVSS 3.1 base score is 4.3 (medium), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low complexity, privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, and limited integrity impact. No patches or exploits are currently publicly available. The vulnerability was published on October 18, 2024, and assigned by Wordfence. Organizations using this plugin should assess their exposure and implement mitigations promptly.

The primary impact of CVE-2024-9361 is unauthorized modification of plugin configuration by low-privileged authenticated users. This can lead to altered image optimization settings, potentially degrading website performance, causing image processing errors, or enabling further exploitation if attackers manipulate plugin behavior maliciously. While it does not directly expose sensitive data or cause denial of service, the integrity compromise can undermine trust in website content delivery and user experience. For organizations relying on this plugin for bulk image optimization, unauthorized changes could disrupt automated workflows, increase server load, or introduce vulnerabilities indirectly. Attackers with Subscriber-level access are common on WordPress sites due to user registrations or compromised accounts, increasing the risk of exploitation. The vulnerability's network accessibility and low complexity make it feasible for attackers to exploit in multi-user environments. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as public awareness grows. Overall, the impact is moderate but significant for affected WordPress sites, particularly those with multiple user roles and public registrations.

1. Upgrade the 'Bulk images optimizer' plugin to a version that includes proper authorization checks once available from the vendor. 2. Until a patch is released, restrict user roles and permissions carefully, limiting Subscriber-level accounts and monitoring for suspicious activity. 3. Implement web application firewall (WAF) rules to detect and block unauthorized attempts to access or modify plugin configuration endpoints. 4. Regularly audit WordPress user accounts and remove or downgrade unnecessary Subscriber or higher-level accounts. 5. Employ monitoring and alerting on changes to plugin configuration files or database entries related to the plugin. 6. Consider disabling or uninstalling the plugin if it is not essential to reduce attack surface. 7. Follow WordPress security best practices, including strong authentication and least privilege principles, to reduce the risk of account compromise. 8. Review server and application logs for anomalous activity targeting the plugin's configuration functions. These steps provide layered defense beyond generic advice and address the specific nature of this missing authorization vulnerability.