CVE-2024-9860 is a vulnerability identified in the Bridge Core plugin for WordPress, developed by QODE. The issue arises from a missing authorization check (CWE-862) in two key functions: 'import_action' and 'install_plugin_per_demo'. These functions lack proper capability verification, allowing any authenticated user with subscriber-level permissions or higher to perform privileged actions typically reserved for administrators. Specifically, attackers can delete or modify plugin settings, import demo content, and install a limited set of plugins without authorization. Since WordPress subscriber accounts are often easy to obtain or compromise, this vulnerability significantly lowers the attack barrier. The vulnerability affects all versions up to and including 3.3 of the Bridge Core plugin. The CVSS 3.1 base score is 6.5 (medium severity), with an attack vector of network, low attack complexity, no privileges required beyond subscriber-level, no user interaction, and impacts on integrity and availability but not confidentiality. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability could be exploited remotely via authenticated access to the WordPress backend, enabling attackers to manipulate site configurations and potentially disrupt site operations or introduce malicious plugins.

The vulnerability allows attackers with minimal privileges (subscriber-level) to escalate their capabilities within the WordPress environment by modifying plugin settings, importing demo data, and installing plugins. This can lead to unauthorized changes in site behavior, potential site downtime, or introduction of malicious code through installed plugins. The integrity of the website’s configuration is compromised, and availability may be affected if critical plugins are disabled or replaced. Although confidentiality is not directly impacted, the ability to install plugins could be leveraged for further attacks, including privilege escalation or data exfiltration. For organizations relying on the Bridge Core plugin, this vulnerability poses a risk of website defacement, operational disruption, and reputational damage. Since WordPress powers a significant portion of websites globally, the scope of affected systems is large, especially for sites using QODE themes that bundle this plugin. The ease of exploitation combined with the broad user base increases the potential impact worldwide.

Organizations should immediately audit their WordPress installations to identify the use of the Bridge Core plugin, particularly versions up to 3.3. Until an official patch is released, administrators should restrict subscriber-level accounts from accessing plugin-related functionalities by implementing custom role-based access controls or using security plugins that enforce capability restrictions. Monitoring and logging of plugin installation and configuration changes should be enabled to detect unauthorized activities. Additionally, organizations should consider temporarily disabling the Bridge Core plugin if feasible or limiting user registrations to trusted users only. Regular backups of site configurations and content are essential to enable recovery in case of exploitation. Once a patch is available, prompt application is critical. Security teams should also educate users about the risks of subscriber-level account compromise and enforce strong authentication mechanisms to reduce the risk of unauthorized access.