CVE-2024-0201: 
WordPress vulnerability analysis and mitigation

The Product Expiry for WooCommerce plugin for WordPress (versions up to and including 2.5) contains a vulnerability identified as CVE-2024-0201. The vulnerability was discovered and reported by István Márton from Wordfence, and was publicly disclosed on January 2, 2024. This security issue stems from a missing capability check on the 'save_settings' function, affecting the plugin's authorization mechanisms (Wordfence Advisory, WPScan).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 5.4 (Medium) according to Wordfence, and 4.3 (Medium) according to NIST. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, indicating that it can be exploited over the network with low attack complexity and requires low privileges (NVD).

The vulnerability allows authenticated attackers with subscriber-level permissions or above to update plugin settings without proper authorization. This unauthorized access to plugin settings could potentially lead to modification of critical plugin configurations (WPScan).

The vulnerability has been patched in version 2.6 of the Product Expiry for WooCommerce plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).