CVE-2024-6489 in Getwid Plugininfo

Summary

by MITRE • 07/20/2024

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_google_api_key function in all versions up to, and including, 2.0.10. This makes it possible for authenticated attackers, with Contributor-level access and above, to set the MailChimp API key.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/22/2024

The vulnerability identified as CVE-2024-6489 affects the Getwid – Gutenberg Blocks plugin for WordPress, representing a critical authorization flaw that undermines the security posture of affected systems. This issue stems from a fundamental missing capability check within the get_google_api_key function, which operates across all versions up to and including 2.0.10. The flaw specifically targets the plugin's handling of administrative configuration data, creating a pathway for privilege escalation through unauthorized data modification. The vulnerability's impact is particularly concerning because it allows attackers with relatively low-level user permissions to manipulate critical system configurations.

The technical implementation of this vulnerability demonstrates a clear failure in access control enforcement within the WordPress plugin architecture. The get_google_api_key function lacks proper capability verification before allowing modification operations, meaning that any authenticated user with Contributor-level privileges or higher can execute the function and modify the MailChimp API key configuration. This represents a direct violation of the principle of least privilege and demonstrates inadequate input validation and authorization checks. The vulnerability operates at the application layer and requires no additional exploitation vectors beyond legitimate authentication, making it particularly dangerous in environments where multiple user roles exist.

From an operational perspective, this vulnerability creates significant risk for organizations relying on the Getwid plugin for their WordPress installations. The unauthorized modification of MailChimp API keys can lead to data exfiltration, service disruption, and potential compromise of marketing automation systems. Attackers could potentially redirect email marketing traffic to malicious endpoints, manipulate subscriber lists, or gain access to sensitive customer data managed through MailChimp integration. The impact extends beyond immediate data compromise to include potential reputational damage and regulatory compliance violations, particularly in environments governed by data protection regulations such as gdpr or ccpa.

The vulnerability aligns with CWE-284, which specifically addresses improper access control issues, and demonstrates characteristics consistent with ATT&CK technique T1078.004 related to valid accounts and privilege escalation. Organizations should implement immediate mitigations including plugin updates to versions that address the capability check deficiency, followed by comprehensive access control reviews. System administrators should also consider implementing additional monitoring for API key modifications and user role changes. The recommended remediation approach includes upgrading to the latest plugin version where the capability check has been properly implemented, alongside regular security audits of WordPress plugin configurations. Additionally, organizations should enforce strict user access controls and implement role-based access control policies that limit the scope of modifications any single user can perform within the WordPress administration interface.

Reservation

07/03/2024

Disclosure

07/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00298

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!