The Total Book Project WordPress plugin suffers from an authorization bypass vulnerability classified as CWE-639: Authorization Bypass Through User-Controlled Key. This vulnerability arises because the plugin fails to properly validate user-supplied keys used to identify book chapters in several functions. As a result, authenticated users with Contributor-level or higher privileges can perform unauthorized actions on chapters belonging to other users. These actions include moving, deleting, or creating chapters in books they do not own. The vulnerability affects all versions up to and including 1.0. Exploitation requires authentication but no additional user interaction, and it can be performed remotely over the network. The CVSS 3.1 base score is 5.4, indicating a medium severity with low confidentiality and integrity impacts and no availability impact. No patches or known exploits are currently available, but the flaw represents a significant risk for multi-author WordPress sites using this plugin, as it undermines the intended access controls and content integrity.

This vulnerability allows authenticated contributors or higher to bypass authorization controls and manipulate content they should not have access to, potentially leading to unauthorized content modification or deletion. For organizations relying on The Total Book Project plugin to manage collaborative book content, this could result in data integrity issues, loss of trust among contributors, and disruption of workflows. Although the confidentiality impact is limited, unauthorized content changes can damage reputations and cause operational inefficiencies. Since the vulnerability requires authentication, the risk is somewhat mitigated by the need for valid user credentials, but insider threats or compromised accounts could exploit this flaw. The absence of availability impact means the site remains operational, but content integrity is compromised. Organizations with multiple contributors or public-facing collaborative content are at higher risk.

1. Immediately restrict Contributor-level and higher user permissions to trusted individuals only until a patch is available. 2. Monitor and audit user actions related to book chapter management to detect unauthorized modifications. 3. If possible, disable or uninstall The Total Book Project plugin until a secure version is released. 4. Implement additional access control checks at the web application firewall (WAF) level to block suspicious requests attempting to manipulate chapters outside user ownership. 5. Follow the plugin vendor’s updates closely and apply patches promptly once released. 6. Educate contributors on the importance of account security to prevent credential compromise. 7. Consider isolating sensitive content management to higher privilege roles temporarily. 8. Review and harden WordPress user role assignments to minimize unnecessary Contributor-level access.