CVE-2024-12104: 
WordPress vulnerability analysis and mitigation

The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress has been identified with a vulnerability (CVE-2024-12104) that was disclosed on January 21, 2025. The vulnerability affects all versions up to and including 4.0.9 of the plugin. This security issue stems from missing capability checks on specific functions that could lead to unauthorized data loss (NVD).

The vulnerability is characterized by missing authorization checks on the wpf_delete_file functions, which constitutes a CWE-862 (Missing Authorization) weakness. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST rates it as HIGH with a base score of 7.5 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), while Wordfence assigns it a MEDIUM severity with a base score of 5.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) (NVD).

The vulnerability allows unauthenticated attackers to delete project pages and files within the WordPress installation. This can result in unauthorized loss of data, potentially affecting the integrity of websites using the affected plugin (NVD).

A patch has been released to address this vulnerability. Users are advised to update their Atarim plugin to version 4.1.0 or later which includes the security fix (WordPress Patch).