CVE-2024-12104 Overview
CVE-2024-12104 affects the Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress. The plugin exposes two functions, wpf_delete_file, without a capability check. Unauthenticated attackers can invoke these handlers over the network to delete project pages and files. All versions up to and including 4.0.9 are affected. The issue is tracked as a Missing Authorization weakness under [CWE-862]. NVD records note that CVE-2025-22657 may be a duplicate of this issue.
Critical Impact
Unauthenticated remote attackers can delete arbitrary project pages and files managed by the Atarim plugin, causing integrity loss across affected WordPress sites.
Affected Products
- Atarim Visual Website Collaboration, Feedback & Project Management plugin for WordPress
- All versions up to and including 4.0.9
- WordPress installations exposing the plugin's AJAX endpoints to unauthenticated traffic
Discovery Timeline
- 2025-01-21 - CVE-2024-12104 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2024-12104
Vulnerability Analysis
The Atarim plugin registers WordPress AJAX actions that delete project resources. The handler functions named wpf_delete_file do not verify the caller's capability with current_user_can() and do not validate a nonce tied to a privileged user. Because WordPress routes wp_ajax_nopriv_* actions to unauthenticated visitors, any client able to reach /wp-admin/admin-ajax.php can trigger the deletion logic. The result is unauthorized destruction of files and project pages stored by the plugin.
Root Cause
The root cause is a missing authorization check [CWE-862] inside the deletion handlers. Authentication and capability verification are normally implemented through current_user_can() gates and nonce verification with check_ajax_referer(). Neither control is present on the vulnerable code paths in versions up to 4.0.9, so the functions trust any caller that supplies the expected request parameters.
Attack Vector
Exploitation requires only network access to the target site. An attacker sends a crafted HTTP POST request to admin-ajax.php referencing the vulnerable action and the identifier of a project file or page. The server executes the deletion without verifying the requester's identity or privileges. No user interaction is needed, and no credentials are required. The impact is limited to integrity: confidential data is not disclosed, and the site remains reachable, but project artifacts can be erased.
No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Report and the WordPress Changeset Details for the precise handler names and patched logic.
Detection Methods for CVE-2024-12104
Indicators of Compromise
- Unauthenticated POST requests to /wp-admin/admin-ajax.php referencing the wpf_delete_file action.
- Missing or unexpectedly removed files in the wp-content/uploads/ directories used by the Atarim plugin.
- Atarim project pages or comments that disappear without administrator activity in the WordPress audit log.
Detection Strategies
- Inspect web server access logs for POST requests to admin-ajax.php where the action parameter matches Atarim file or page deletion handlers and the session cookie is absent.
- Alert when admin-ajax.php requests originate from IPs that have not previously authenticated to the site.
- Run an integrity check across plugin-managed directories and compare against the last known good backup.
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized log platform and retain them long enough to investigate retroactive deletions.
- Enable file integrity monitoring on wp-content/uploads/ and on plugin storage paths.
- Track plugin version inventory across all WordPress sites and flag any instance still running Atarim 4.0.9 or earlier.
How to Mitigate CVE-2024-12104
Immediate Actions Required
- Update the Atarim plugin to a version newer than 4.0.9 as soon as the vendor patch is available through the WordPress plugin repository.
- If patching is not immediately possible, deactivate the plugin to remove the vulnerable AJAX handlers from the request surface.
- Restore deleted project files from backup and review administrator accounts for unrelated abuse.
Patch Information
The vendor addressed the issue through a WordPress.org plugin update. The relevant code change is recorded in the WordPress Changeset Details for the atarim-visual-collaboration plugin. Site administrators should upgrade to the fixed release distributed through the WordPress plugin updater. Confirm successful upgrade by checking the installed version in the WordPress admin dashboard.
Workarounds
- Block unauthenticated requests to admin-ajax.php carrying the vulnerable action parameter at the Web Application Firewall (WAF) layer.
- Restrict access to /wp-admin/ paths to known administrative IP ranges where operationally feasible.
- Disable the Atarim plugin on production sites until the patched version is verified in staging.
# Example WAF rule to block unauthenticated calls to the vulnerable action
# Adjust syntax for your WAF or reverse proxy of choice
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1012104,\
msg:'Block CVE-2024-12104 Atarim wpf_delete_file abuse'"
SecRule ARGS:action "@rx ^wpf_delete_file$" \
"chain"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
