CVE-2024-11083: 
WordPress vulnerability analysis and mitigation

The ProfilePress WordPress plugin (also known as wp-user-avatar) contains a Sensitive Information Exposure vulnerability (CVE-2024-11083) affecting all versions up to and including 4.15.18. The vulnerability was discovered and reported by researcher Francesco Carlucci, with public disclosure on November 26, 2024 (Wordfence Intel).

The vulnerability exists in the WordPress core search feature implementation within ProfilePress. It allows unauthenticated attackers to access sensitive data from posts that should be restricted to administrator-level roles. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (NVD).

When exploited, this vulnerability allows unauthorized users to extract sensitive information from posts that were intended to be accessible only to users with administrative privileges. This could lead to the exposure of confidential data that was meant to be restricted (NVD).

A fix has been implemented and is available in the WordPress plugin repository. Users are advised to update their ProfilePress plugin to a version newer than 4.15.18 to address this vulnerability (WordPress Plugin).