CVE-2024-9584 is a vulnerability identified in the Image Map Pro – Drag-and-drop Builder for Interactive Images WordPress plugin, affecting all versions up to and including 6.0.20. The root cause is a missing authorization check (CWE-862) on AJAX functions that manage map projects. This flaw allows authenticated users with contributor-level privileges or higher to bypass intended permission restrictions and perform unauthorized modifications such as adding, updating, or deleting map projects. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and no elevated privileges beyond contributor are needed (PR:L). The vulnerability impacts data integrity and availability but not confidentiality, as attackers cannot access data beyond modification capabilities. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was published on October 25, 2024, with a CVSS v3.1 base score of 5.4, reflecting medium severity. The flaw presents a risk to WordPress sites using this plugin, especially those with multiple contributors or editors, as it allows unauthorized content manipulation that could disrupt site functionality or content trustworthiness.

The primary impact of CVE-2024-9584 is unauthorized modification and potential loss of interactive map data on WordPress sites using the Image Map Pro plugin. Attackers with contributor-level access can alter or delete map projects, which may disrupt website functionality, degrade user experience, and damage organizational reputation. For organizations relying on interactive maps for navigation, marketing, or information dissemination, this could lead to misinformation or operational interruptions. Although confidentiality is not directly impacted, the integrity and availability of critical site content are at risk. In multi-user environments, this vulnerability could be exploited by malicious insiders or compromised contributor accounts to cause damage. The lack of user interaction requirement and low attack complexity increase the likelihood of exploitation once an attacker gains contributor access. This could also facilitate further attacks if map data is used in downstream processes or integrations.

To mitigate CVE-2024-9584, organizations should immediately restrict contributor-level privileges to trusted users only and audit existing user roles to minimize unnecessary elevated permissions. Administrators should monitor and log changes to map projects to detect unauthorized modifications promptly. Until an official patch is released, consider disabling or removing the Image Map Pro plugin if it is not critical to operations. For sites that must continue using the plugin, implement web application firewall (WAF) rules to restrict AJAX requests related to map project modifications to authorized users only. Additionally, harden WordPress security by enforcing strong authentication mechanisms such as multi-factor authentication (MFA) for all users with contributor or higher roles. Regularly update WordPress core and plugins to the latest versions once a patch for this vulnerability becomes available. Finally, conduct security awareness training for contributors to recognize and report suspicious activities.