CVE-2024-38769: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in Tyche Softwares Arconix Shortcodes plugin versions through 2.1.11. The vulnerability was discovered by Dhabaleshwar Das and was disclosed on July 19, 2024, receiving the identifier CVE-2024-38769. The issue allows unauthorized access to functionality not properly constrained by Access Control Lists (ACLs) (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) where there is a missing authorization, authentication, or nonce token check in a function. This allows unprivileged users to execute certain higher privileged actions. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (Patchstack).

The vulnerability has a low severity impact and is considered unlikely to be exploited. It primarily affects the access control mechanism of the plugin, potentially allowing unauthorized users to perform actions that should be restricted to users with higher privileges (Patchstack).

The vulnerability has been fixed in version 2.1.12 of the Arconix Shortcodes plugin. Users are advised to update to this version or later to remove the vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).