CVE-2024-1385 in WP-Stateless Plugin
Summary
by MITRE • 04/06/2024
The WP-Stateless – Google Cloud Storage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the dismiss_notices() function in all versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to the current time, which may completely take a site offline.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2026
The WP-Stateless plugin for WordPress represents a critical security vulnerability classified as CVE-2024-1385 that exposes WordPress installations to unauthorized data manipulation through a fundamental capability check failure. This vulnerability specifically affects versions up to and including 3.4.0 of the WP-Stateless plugin, which is designed to integrate WordPress with Google Cloud Storage services. The flaw resides within the dismiss_notices() function that lacks proper authentication and authorization verification, creating a pathway for malicious actors to exploit the system's trust model. The vulnerability's impact extends beyond simple notice dismissal as it enables attackers to manipulate core WordPress options, potentially leading to complete site outages.
The technical implementation of this vulnerability stems from the plugin's failure to validate user capabilities before executing the dismiss_notices() function. According to CWE-284, this represents an inadequate access control mechanism where the plugin does not properly verify that the requesting user possesses sufficient privileges to perform the requested action. The function accepts user input without appropriate validation, allowing authenticated users with subscriber-level access or higher to manipulate WordPress options. This flaw aligns with ATT&CK technique T1078.004 which describes valid accounts usage, where attackers leverage legitimate user credentials to perform unauthorized actions within the system. The specific implementation allows attackers to update arbitrary option values to the current timestamp, a seemingly innocuous action that can have catastrophic consequences for site stability and functionality.
The operational impact of CVE-2024-1385 manifests in several critical ways that can severely compromise WordPress site integrity and availability. When an authenticated attacker exploits this vulnerability, they can manipulate core WordPress options such as the site URL, home URL, or other critical configuration parameters. The update of arbitrary option values to the current time can trigger cascading failures throughout the WordPress system, potentially causing complete site downtime or rendering the installation unusable. This type of attack can be particularly devastating for sites that rely heavily on automated processes or scheduled tasks, as the manipulation of option values can disrupt these critical functions. The vulnerability's scope allows for potential data loss scenarios where configuration changes can result in site misconfigurations that may require manual intervention to resolve.
Mitigation strategies for this vulnerability require immediate action from WordPress administrators and security teams to protect their installations from exploitation. The primary recommendation involves upgrading the WP-Stateless plugin to version 3.4.1 or later, which includes the necessary capability checks to prevent unauthorized option manipulation. System administrators should also implement network-level monitoring to detect unusual patterns of option updates that may indicate exploitation attempts. According to security best practices and ATT&CK framework guidance, organizations should enforce principle of least privilege by ensuring that users only possess the minimum necessary permissions to perform their required tasks. Additionally, implementing regular security audits of WordPress plugins and maintaining updated security monitoring tools can help detect and prevent similar vulnerabilities from being exploited in the future. The vulnerability serves as a reminder of the critical importance of proper capability validation in web applications and the potential consequences of inadequate access control mechanisms in content management systems.