CVE-2024-3233: 
WordPress vulnerability analysis and mitigation

The Ivory Search – WordPress Search Plugin for WordPress contains a vulnerability (CVE-2024-3233) due to a missing capability check on the ajaxcreateindex() function in versions up to and including 5.5.5. This security flaw allows authenticated users with subscriber-level access or higher to trigger index creation without proper authorization (Wordfence).

The vulnerability stems from insufficient authorization controls in the ajaxcreateindex() function within the plugin. The missing capability check enables authenticated users with minimal privileges (subscriber level and above) to perform index creation operations that should be restricted to users with higher privileges. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (WPScan).

The vulnerability allows unauthorized modification of data through index creation operations. While the direct impact is limited to index manipulation, this could potentially affect the search functionality and performance of the website (NVD).

The vulnerability has been patched in version 5.5.6 of the Ivory Search plugin. Site administrators are advised to update to this version or later to address the security issue (WPScan).