CVE-2024-32148: 
WordPress vulnerability analysis and mitigation

The Pardot WordPress plugin contains a Missing Authorization vulnerability (CVE-2024-32148) affecting versions up to and including 2.1.0. The vulnerability was discovered by Abdi Pranata and publicly disclosed on April 12, 2024. This security issue impacts the Salesforce Pardot plugin for WordPress installations (Patchstack, WPScan).

The vulnerability is classified as a Missing Authorization (CWE-862) issue due to missing capability checks on several AJAX actions. It has received a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability falls under the OWASP Top 10 category A5: Broken Access Control (Patchstack).

The vulnerability allows authenticated attackers with subscriber-level access or higher to perform unauthorized actions, including the ability to reset cache and execute other privileged operations (WPScan).

The vulnerability has been patched in version 2.1.1 of the Pardot plugin. Users are advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).