CVE-2021-4366: 
WordPress vulnerability analysis and mitigation

The PWA for WP & AMP plugin for WordPress (versions up to 1.7.32) contains a vulnerability identified as CVE-2021-4366, which was publicly disclosed on July 1, 2021. This security flaw is characterized as an authorization bypass vulnerability due to a missing capability check in the pwaforwpupdatefeatures_options function (WPScan, NVD).

The vulnerability stems from the absence of a proper capability check in the pwaforwpupdatefeatures_options function. While the plugin implemented a CSRF check, the nonce was accessible to any authenticated user, effectively bypassing the intended authorization restrictions. The vulnerability has received a CVSS v3.1 base score of 4.3 (MEDIUM) from NIST and 6.3 (MEDIUM) from Wordfence, indicating a moderate severity level (NVD).

The vulnerability allows any authenticated user, including those with minimal privileges such as subscribers, to modify the plugin's settings that should normally be restricted. This could potentially lead to unauthorized changes in the plugin's configuration and affect the website's functionality (WPScan).

The vulnerability has been fixed in version 1.7.33 of the PWA for WP & AMP plugin. Website administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).