CVE-2024-0248: 
WordPress vulnerability analysis and mitigation

The EazyDocs WordPress plugin before version 2.4.0 reintroduced a previously fixed vulnerability (CVE-2023-6029) in version 2.3.8. This security issue was discovered and disclosed in January 2024, affecting the EazyDocs plugin for WordPress. The vulnerability received a CVSS v3.1 base score of 4.3 (MEDIUM) (NVD).

The vulnerability allows any authenticated users, including those with subscriber-level privileges, to perform unauthorized actions such as deleting arbitrary posts and managing documents/sections. The issue was partially addressed in version 2.3.9, but some functionality remained exploitable. The vulnerability is classified as a Broken Access Control issue (OWASP Top 10 A5) and is categorized under CWE-862 (WPScan).

When exploited, this vulnerability enables authenticated users with low-privilege roles (such as subscribers) to perform unauthorized administrative actions, including the deletion of arbitrary posts and the manipulation of document sections. This can lead to content loss and unauthorized modifications to the website's documentation structure (WPScan).

Website administrators should immediately upgrade to EazyDocs version 2.4.0 or later, which contains the complete fix for this vulnerability. No alternative workarounds have been published (WPScan).