CVE-2024-3895: 
WordPress vulnerability analysis and mitigation

The WP Datepicker plugin for WordPress (CVE-2024-3895) contains a critical vulnerability affecting versions up to and including 2.1.0. The vulnerability stems from a missing capability check on the wpdpaddnewdatepickerajax() function, which was discovered in May 2024. This security flaw affects over 10,000 active WordPress installations (Cyber Security News).

The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The security issue arises from a missing capability check in the wpdpaddnewdatepickerajax() function, which allows authenticated users with subscriber-level access or higher to perform unauthorized modifications of data (NVD).

The vulnerability enables authenticated attackers with subscriber-level access or higher to update arbitrary options within the WordPress installation. This capability can be leveraged for privilege escalation, potentially allowing attackers to create administrator accounts and gain full control over affected websites (Cyber Security News).

WordPress users are strongly advised to update their WP Datepicker plugin to version 2.1.1 or higher, which contains the complete fix for this vulnerability. Wordfence Premium, Care, and Response users received a firewall rule in April to protect against exploits targeting this vulnerability (Cyber Security News).

The vulnerability was discovered and reported through the Wordfence Bug Bounty Program by researcher Lucio Sá, who was awarded a bounty of $493.00 for the discovery during the Bug Bounty Program Extravaganza (Cyber Security News).