CVE-2024-38743: 
WordPress vulnerability analysis and mitigation

A broken access control vulnerability (CVE-2024-38743) was discovered in the WordPress plugin Plum: Spin Wheel & Email Pop-up versions up to 2.0. The vulnerability was reported by Ananda Dhakal and disclosed on July 11, 2024. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) (Patchstack).

The vulnerability is classified as a Missing Authorization issue (CWE-862) that allows unauthenticated users to perform certain actions that should require higher privileges. The vulnerability has been assigned a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating that it can be exploited over the network with low attack complexity, requires no privileges or user interaction, and can result in low-severity impacts to integrity (Patchstack).

The vulnerability could allow an unprivileged user to execute certain higher privileged actions within the plugin's functionality. The impact is considered low severity, primarily affecting the integrity of the system (Patchstack).

No official fix is currently available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available (Patchstack).