CVE-2024-24872: 
NixOS vulnerability analysis and mitigation

The Themify Builder WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 7.0.5. The vulnerability was discovered on February 5, 2024, and was assigned CVE-2024-24872. This security issue impacts the cache_menu() function due to missing or incorrect nonce validation (Patchstack, WPScan).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and has received varying CVSS scores. The National Vulnerability Database (NVD) assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack assessed it with a CVSS score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to clear cache via a forged request, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (WPScan).

The vulnerability has been patched in version 7.0.6 of the Themify Builder plugin. Users are advised to update to this version or later to resolve the security issue (WPScan).