CVE-2021-24717: 
WordPress vulnerability analysis and mitigation

The AutomatorWP WordPress plugin versions before 1.7.6 contained a critical security vulnerability (CVE-2021-24717) that was discovered and publicly disclosed on September 28, 2021. The vulnerability stems from missing authorization checks in the plugin, which affects WordPress installations using the AutomatorWP plugin (WPScan Advisory).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) with a CVSS v3.1 base score of 8.8 (HIGH). The technical nature of the vulnerability involves the plugin's failure to implement proper capability checks in its Ajax actions. This security flaw allows users with minimal privileges (Subscriber role) to perform unauthorized actions through various Ajax endpoints (NVD).

The vulnerability allows users with Subscriber roles to perform multiple unauthorized actions including: enumeration of automations, disclosure of private post titles, exposure of user email addresses, execution of arbitrary functions, and potential privilege escalation. The most severe impact is the ability to create new administrator accounts through manipulation of anonymous automations (WPScan Advisory).

The vulnerability has been fixed in AutomatorWP version 1.7.6. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan Advisory).