CVE-2024-10567: 
WordPress vulnerability analysis and mitigation

The TI WooCommerce Wishlist plugin for WordPress contains a security vulnerability (CVE-2024-10567) discovered in versions up to and including 2.9.1. The vulnerability was publicly disclosed on December 3, 2024, and is characterized by a missing capability check on the 'wizard' function, which could allow unauthorized access to plugin functionality (Wordfence Intel, WPScan).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and primarily impacts the integrity of the system (NVD).

The vulnerability allows unauthenticated attackers to perform several unauthorized actions including creating new pages, modifying plugin settings, and performing limited options updates. This represents a significant risk to the integrity of affected WordPress installations (NVD, WPScan).

The vulnerability has been patched in version 2.9.2 of the TI WooCommerce Wishlist plugin. Users are strongly advised to update to this version or later to protect their installations (WPScan).