CVE-2024-33564: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2024-33564) was discovered in 8theme XStore, affecting versions through 9.3.8. The vulnerability was reported by Rafie Muhammad and disclosed on April 25, 2024. XStore is a popular WordPress eCommerce theme with over 44,000 sales, used for building online stores with WordPress and WooCommerce (Security Online, Patchstack).

The vulnerability is classified as a Missing Authorization issue (CWE-862) that allows authenticated users with subscriber-level access to update arbitrary WordPress options. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST rates it as MEDIUM (4.3) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, while Patchstack assigns it a HIGH severity score of 8.8 with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to privilege escalation and unauthorized access to sensitive site functionalities, potentially allowing attackers to modify critical WordPress settings. This could result in website compromise and unauthorized administrative access (Security Online).

The vulnerability has been patched in XStore version 9.3.9. Users are strongly advised to update to this version immediately to protect their websites from potential exploits. Patchstack has also issued a virtual patch to mitigate this issue by blocking any attacks until users can update to the fixed version (Patchstack).