CVE-2024-1047: 
WordPress vulnerability analysis and mitigation

The Orbit Fox by ThemeIsle plugin for WordPress (CVE-2024-1047) contains a vulnerability related to unauthorized modification of data due to a missing capability check on the register_reference() function. This security flaw affects all versions up to and including 2.10.28. The vulnerability was discovered and reported in February 2024 (NVD).

The vulnerability stems from a missing capability check in the register_reference() function, which allows unauthenticated attackers to update connected API keys. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-862: Missing Authorization (NVD).

The vulnerability allows unauthenticated attackers to modify data by updating the connected API keys in the affected WordPress installations. This could potentially lead to unauthorized access to connected services or compromise of API-dependent functionalities (NVD).

Users are advised to update their Orbit Fox by ThemeIsle plugin to version 2.10.29 or later, which contains the security fix. The patch has been implemented in the Promotions.php file (WordPress Patch).