CVE-2024-37929: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the User Activity Log Pro WordPress plugin affecting versions up to 2.3.4. The vulnerability was identified on January 14, 2024, and publicly disclosed on July 9, 2024. This security issue allows for exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 6.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The vulnerability requires Subscriber-level privileges to exploit, indicating that even low-privileged authenticated users could potentially exploit this security flaw (Patchstack).

The vulnerability could allow authenticated users with low privileges (Subscriber level) to perform actions that should be restricted to users with higher privilege levels. This could potentially lead to unauthorized access to sensitive information and functionality within the WordPress installation (Patchstack).

Currently, there is no official fix available from the plugin developer. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider alternative security measures (Patchstack).