CVE-2024-11643: 
WordPress vulnerability analysis and mitigation

The Accessibility by AllAccessible plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-11643) due to a missing capability check in the 'AllAccessiblesavesettings' function. This vulnerability affects all versions up to and including 1.3.4. The issue was disclosed on December 4, 2024 (NVD).

The vulnerability stems from a missing authorization check in the 'AllAccessiblesavesettings' function, which allows authenticated users with Subscriber-level access or higher to modify arbitrary WordPress options. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness has been classified as CWE-862 (Missing Authorization) (NVD).

The vulnerability allows authenticated attackers to update arbitrary options on the WordPress site. Specifically, attackers can modify the default role for new user registrations to administrator and enable user registration, effectively allowing them to create administrative accounts and gain full control over the vulnerable site (NVD).

Site administrators should update the Accessibility by AllAccessible plugin to a version newer than 1.3.4 once a patch is available. In the meantime, consider disabling the plugin if it's not critical to site operations (NVD).