CVE-2024-32509: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2024-32509) was discovered in the Loopus WP Cost Estimation & Payment Forms Builder WordPress plugin, affecting versions up to 10.1.76. The vulnerability was reported on February 29, 2024, and publicly disclosed on April 15, 2024 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 6.5 (Medium), and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The issue stems from missing authorization checks in certain plugin functions, which could allow unprivileged users to execute higher privileged actions (Patchstack).

The vulnerability allows unauthenticated users to perform unauthorized actions within the WordPress installation. While the specific impact varies case by case, it primarily affects the integrity and availability of the system with low severity (Patchstack).

Users are advised to update to version 10.1.77 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).