CVE-2024-13407: 
WordPress vulnerability analysis and mitigation

The Omnipress plugin for WordPress contains an Information Exposure vulnerability (CVE-2024-13407) affecting all versions up to and including 1.5.4. The vulnerability was discovered in March 2024 and is related to insufficient restrictions in the megamenu block functionality (NVD).

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has received a CVSS v3.1 base score of 6.5 (MEDIUM) from NIST NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Wordfence assigned a slightly lower CVSS score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to extract data from password protected, private, or draft posts that they should not have access to. This represents a significant information disclosure risk for sensitive content managed through the WordPress platform (NVD).

A patch has been released in version 1.5.5 of the Omnipress plugin. Users are advised to update to this latest version to mitigate the vulnerability (WordPress Patch).