CVE-2024-1110: 
WordPress vulnerability analysis and mitigation

The Podlove Podcast Publisher plugin for WordPress contains a vulnerability (CVE-2024-1110) due to a missing capability check on the init() function in versions up to and including 4.0.11. This security flaw was discovered and disclosed on February 7, 2024, affecting the plugin's settings import functionality (NVD).

The vulnerability stems from a missing authorization check in the init() function, which allows unauthenticated attackers to import plugin settings. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-862: Missing Authorization (NVD).

The vulnerability allows unauthenticated attackers to import plugin settings, potentially leading to unauthorized modification of the plugin's configuration. This could affect the podcast publishing functionality and overall plugin settings (NVD).

A patch has been released to address this vulnerability. The fix includes adding capability checks and nonce validation to the importer functions. Users should update to a version newer than 4.0.11 to protect against this vulnerability (GitHub Patch).