CVE-2021-24633: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24633 affects the WordPress Countdown Block plugin versions below 1.1.2. The issue was discovered and publicly disclosed on August 30, 2021. This security flaw involves a missing authorization in the AJAX action functionality of the plugin, which affects WordPress installations using the vulnerable versions of the Countdown Block plugin (WPScan).

The vulnerability stems from a missing authorization check in the ebwriteblock_css AJAX action. The initial fix attempt in version 1.1.1 was incomplete, as it still allowed exploitation through a CSRF attack on an administrator due to a logic flaw. The vulnerability is classified as CWE-862 (Missing Authorization) and has been assigned a CVSS score of 6.5 (medium severity). This security issue falls under the OWASP Top 10 category A5: Broken Access Control (WPScan).

When exploited, this vulnerability allows any authenticated user, including those with minimal privileges such as Subscribers, to modify post contents that are displayed to users. This means that malicious actors with even basic authentication could potentially alter the content of posts on the affected WordPress site (WPScan).

The vulnerability has been fixed in version 1.1.2 of the Countdown Block plugin. Site administrators are strongly advised to update to this version or later to protect against this security issue (WPScan).