CVE-2024-12155: 
WordPress vulnerability analysis and mitigation

The SV100 Companion plugin for WordPress contains a critical vulnerability (CVE-2024-12155) that affects all versions up to and including 2.0.02. The vulnerability stems from a missing capability check on the settings_import() function, which allows unauthorized modification of data that can lead to privilege escalation (NVD).

The vulnerability is characterized by a missing authorization check in the settings_import() function, which enables unauthenticated attackers to update arbitrary options on WordPress sites. The severity is rated as CRITICAL with a CVSS v3.1 base score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability allows unauthenticated attackers to update arbitrary options on the WordPress site. Specifically, attackers can modify the default role for registration to administrator and enable user registration, ultimately gaining administrative user access to vulnerable sites (NVD).

Site administrators should immediately update the SV100 Companion plugin to a version newer than 2.0.02 if available. Until an update is applied, it is recommended to disable the plugin to prevent potential exploitation (NVD).