CVE-2024-38794: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in MediaRon LLC's Custom Query Blocks WordPress plugin, tracked as CVE-2024-38794. The vulnerability affects versions up to 5.2.0 and allows unauthorized access to functionality not properly constrained by Access Control Lists (ACLs). The issue was discovered by Joshua Chan and was published on July 22, 2024 (NVD, Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that it can be exploited over the network, requires low attack complexity, needs no privileges, and requires no user interaction (Patchstack).

The vulnerability allows unauthorized users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. The impact is primarily focused on confidentiality with low severity, while integrity and availability are not affected (Patchstack).

The vulnerability has been patched in version 5.3.0 of the Custom Query Blocks plugin. Users are advised to update to version 5.3.0 or later to remediate the issue. Additionally, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks until users can update to the fixed version (Patchstack).