CVE-2024-50500

CVE-2024-50500 is a missing authorization vulnerability in the WordPress plugin "Shortcodes and extra features for Phlox theme," also known as auxin-elements. The flaw allows exploiting incorrectly configured access control security levels and affects all versions from n/a through 2.17.4. It is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating medium severity due to low-privilege requirements and network accessibility.

An attacker with low privileges, such as an authenticated user with basic access like a subscriber or contributor, can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation enables limited integrity impacts (I:L), such as unauthorized modifications to plugin functionality or site elements, without affecting confidentiality or availability.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/auxin-elements/vulnerability/wordpress-phlox-core-elements-plugin-2-17-2-broken-access-control-vulnerability?_s_id=cve details the vulnerability, with mitigation centered on updating the auxin-elements plugin to a version beyond 2.17.4.