CVE-2024-13637: 
WordPress vulnerability analysis and mitigation

The Demo Awesome plugin for WordPress contains a vulnerability (CVE-2024-13637) related to unauthorized modification of data due to a missing capability check in the install_plugin function. This vulnerability affects all versions up to and including 1.0.3. The issue was disclosed on April 2, 2025, and allows authenticated attackers with Subscriber-level access or higher to install and activate arbitrary plugins (NVD).

The vulnerability stems from a missing capability check in the install_plugin function, which allows users with low-level privileges to perform administrative actions. The issue has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to install and activate arbitrary plugins on the affected WordPress installations. This could lead to unauthorized modification of the WordPress site's functionality and potential execution of malicious code (NVD).

The plugin has been closed as of April 1, 2025, pending a full review. Users should consider removing the plugin until a security fix is available (WordPress Plugin).