CVE-2024-6599: 
WordPress vulnerability analysis and mitigation

The Meks Video Importer plugin for WordPress contains a vulnerability (CVE-2024-6599) related to unauthorized API key modification. The vulnerability affects all versions up to and including 1.0.11, discovered and disclosed on July 17, 2024. The issue stems from a missing capability check on the ajaxsavesettings function (NVD).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 Base Score of 4.3 (Medium). The vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges. The vulnerability specifically relates to missing authorization checks in the plugin's settings functionality (Patchstack, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to modify the plugin's API keys. This unauthorized access to API key modification could potentially lead to service disruption or unauthorized usage of API services (NVD).

Users are advised to update to version 1.0.13 or later to remediate this vulnerability. For those using Patchstack, virtual patching is available to mitigate the issue until an update can be applied (Patchstack).