CVE-2024-10124: 
WordPress vulnerability analysis and mitigation

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin is affected by an unauthorized arbitrary plugin installation vulnerability (CVE-2024-10124). The vulnerability exists due to a missing capability check on the tp_install() function in versions up to and including 1.1.1. This security flaw was discovered and reported by Wordfence, with a partial patch implemented in version 1.1.1 (NVD).

The vulnerability stems from improper access control (CWE-284) in the tp_install() function. The CVSS v3.1 base score is 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a highly severe vulnerability that requires no privileges or user interaction to exploit (Wordfence).

The vulnerability allows unauthenticated attackers to install and activate arbitrary plugins, which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated (NVD).

Users should update to a version newer than 1.1.1 of the Vayu Blocks plugin. While version 1.1.1 includes a partial patch, it's recommended to use the latest available version to ensure complete protection (NVD).