CVE-2024-38690: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Avirtum iPanorama 360 WordPress Virtual Tour Builder plugin versions up to 1.8.3. The vulnerability was disclosed on July 10, 2024, and was assigned CVE-2024-38690. The issue allows accessing functionality not properly constrained by Access Control Lists (ACLs) (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 5.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability stems from missing authorization checks that could allow unprivileged users to execute certain higher privileged actions (Patchstack).

The vulnerability allows unauthenticated users to access functionality that should be restricted by Access Control Lists. While rated as having a low severity impact, it could potentially lead to unauthorized access to protected features (Patchstack).

The vulnerability has been fixed in version 1.8.4 of the iPanorama 360 WordPress Virtual Tour Builder plugin. Users are advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).