CVE-2024-12104
📋 TL;DR
The Atarim WordPress plugin has a vulnerability that allows unauthenticated attackers to delete project pages and files without proper authorization. This affects all WordPress sites using Atarim plugin versions up to 4.0.9. The vulnerability exists in the wpf_delete_file and wpf_delete_file functions which lack proper capability checks.
💻 Affected Systems
- Visual Website Collaboration, Feedback & Project Management – Atarim WordPress plugin
📦 What is this software?
Atarim by Atarim
⚠️ Risk & Real-World Impact
Worst Case
Complete deletion of all project pages and files managed through the Atarim plugin, potentially causing data loss, business disruption, and website functionality issues.
Likely Case
Selective deletion of project content by attackers scanning for vulnerable sites, leading to partial data loss and website defacement.
If Mitigated
Minimal impact if proper access controls, backups, and monitoring are in place to detect and restore deleted content.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests to the vulnerable endpoints. Attackers can easily automate exploitation across multiple sites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.10 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Atarim - Visual Collaboration' plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 4.0.10+ from WordPress repository and manually update
🔧 Temporary Workarounds
Disable Atarim Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate atarim-visual-collaboration
Restrict Access via WAF
allBlock requests to Atarim plugin endpoints using web application firewall rules
Block HTTP requests containing '/wp-json/atarim/' or '/wp-admin/admin-ajax.php?action=wpf_delete_file'
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the WordPress admin interface and REST API endpoints
- Enable comprehensive logging and monitoring for file deletion activities and implement automated alerts for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Atarim plugin version. If version is 4.0.9 or lower, the site is vulnerable.Check Version:
wp plugin get atarim-visual-collaboration --field=versionVerify Fix Applied:
Verify Atarim plugin version is 4.0.10 or higher in WordPress admin panel. Test file deletion functionality with unauthenticated requests should fail.📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to /wp-admin/admin-ajax.php with action=wpf_delete_file parameter from unauthenticated IPs
- Sudden increase in file deletion events in WordPress or server logs
Network Indicators:
- HTTP POST requests to WordPress admin-ajax.php with wpf_delete_file action from external IPs without authentication headers
- Unusual patterns of requests to Atarim-specific endpoints
SIEM Query:
source="wordpress.log" AND ("wpf_delete_file" OR "atarim") AND status=200 AND NOT user_authenticated=true