CVE-2024-11281: 
WordPress vulnerability analysis and mitigation

The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in versions up to and including 6.1.0. This vulnerability was disclosed on December 25, 2024. The plugin, which enables store owners to sell products both online and offline through physical stores, contains a critical security flaw that affects its user authentication system (NVD).

The vulnerability stems from insufficient validation of the 'loggedinuser_id' value when option values are empty, combined with the ability for attackers to change email addresses of arbitrary user accounts. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to change the email addresses of arbitrary user accounts, including administrators, and subsequently reset their passwords to gain unauthorized access to these accounts. This could lead to complete compromise of WordPress installations using the affected plugin (NVD).

Users should immediately update their WooCommerce Point of Sale plugin to a version newer than 6.1.0 if available. If an update is not available, it is recommended to disable the plugin until a security patch is released (NVD).