CVE-2024-38783: 
WordPress vulnerability analysis and mitigation

The Arconix FAQ WordPress plugin contains a Missing Authorization vulnerability (CVE-2024-38783) that affects versions up to and including 1.9.4. The vulnerability was discovered by Dhabaleshwar Das and publicly disclosed on July 19, 2024. The issue allows unauthenticated attackers to access functionality not properly constrained by Access Control Lists (ACLs) (Patchstack, WPScan).

The vulnerability stems from a missing capability check in the tsresettrackingsetting() function, which allows unauthorized access to and modification of tracking settings. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. It is classified as CWE-862: Missing Authorization ([Patchstack](https://patchstack.com/database/vulnerability/arconix-faq/wordpress-arconix-faq-plugin-1-9-4-broken-access-control-vulnerability?s_id=cve)).

The vulnerability enables unauthenticated attackers to reset tracking settings in the Arconix FAQ plugin, potentially leading to unauthorized modification of data (WPScan).

The vulnerability has been patched in version 1.9.5 of the Arconix FAQ plugin. Users are advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).