CVE-2024-37935: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the anhvnit Woocommerce OpenPos plugin affecting versions through 6.4.4. The vulnerability was disclosed on August 13, 2024, and is tracked as CVE-2024-37935. The issue allows unauthorized access to functionality that should be properly constrained by Access Control Lists (ACLs) (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, and requires no user interaction. The vulnerability is classified under CWE-862 (Missing Authorization) (Patchstack).

The vulnerability allows attackers to access sensitive functionality that should be restricted by access controls. The high confidentiality impact (C:H) in the CVSS score indicates that the vulnerability can lead to significant unauthorized information disclosure (Patchstack).

Users are advised to update to version 7.0.2 or later of the Woocommerce OpenPos plugin, which contains fixes for this vulnerability (Patchstack).