CVE-2021-4388: 
WordPress vulnerability analysis and mitigation

The Opal Estate WordPress plugin (versions up to 1.6.11) was identified with a missing authorization vulnerability (CVE-2021-4388). The vulnerability was discovered by Jerome Bruandet from NinTechNet and publicly disclosed on August 16, 2021. This security issue affects the plugin's featured property functionality, potentially impacting WordPress installations using the affected versions (NVD).

The vulnerability stems from missing capability checks in two specific functions: opalestatesetfeatureproperty() and opalestateremovefeatureproperty(). The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 5.3 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, while Wordfence assessed it at 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability allows unauthenticated attackers to modify the featured status of properties within the Opal Estate plugin. This means attackers can set or remove the featured status of properties without proper authorization, potentially affecting the visibility and promotion of real estate listings on affected websites (NVD).

Website administrators running the affected versions of the Opal Estate plugin should upgrade to a version newer than 1.6.11 to address this vulnerability. The vulnerability was fixed in subsequent releases of the plugin (NVD).