CVE-2024-1984: 
WordPress vulnerability analysis and mitigation

The Graphene theme for WordPress contains an unauthorized data access vulnerability (CVE-2024-1984) affecting all versions up to and including 2.9.2. This vulnerability was discovered and disclosed in February 2024, impacting websites using the Graphene WordPress theme (CVE MITRE).

The vulnerability allows unauthenticated users to access the contents of password-protected posts through the generated source code via meta tags. The issue has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges (NVD).

When exploited, this vulnerability enables unauthorized individuals to view the content of password-protected posts, bypassing the intended access controls. This compromises the confidentiality of protected content on affected WordPress sites (Wordfence).

The vulnerability has been patched in version 2.9.3 of the Graphene theme. Site administrators are advised to update to this version immediately. The update includes fixes for PHP notices and warnings, and specifically addresses the issue of password-protected post excerpts appearing in rich snippets or open graph metadata (WordPress Themes).