CVE-2024-37440: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the WordPress Church Admin plugin affecting versions up to 4.4.4. The vulnerability was reported by Ngô Thiên An from VNPT-VCI on May 31, 2024, and was publicly disclosed on June 28, 2024. The issue has been assigned CVE-2024-37440 and relates to broken access control security levels (Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue that allows exploiting incorrectly configured access control security levels. The severity has been assessed with a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability requires Subscriber-level privileges to exploit (Patchstack).

The vulnerability is categorized as a broken access control issue, which could potentially allow an unprivileged user to execute certain higher privileged actions. The impact has been assessed as low severity and is considered unlikely to be exploited (Patchstack).

The vulnerability has been fixed in version 4.4.5 of the Church Admin plugin. Users are advised to update to version 4.4.5 or later to remediate the issue. Additionally, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks until users can update to the fixed version (Patchstack).