CVE-2024-3961: 
WordPress vulnerability analysis and mitigation

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress contains a vulnerability (CVE-2024-3961) due to a missing capability check on the tag_subscriber function in versions up to and including 2.4.9. This security flaw was discovered and disclosed in June 2024, affecting WordPress installations using the ConvertKit plugin (NVD).

The vulnerability stems from a missing authorization check in the tag_subscriber function, which allows unauthenticated attackers to modify data without proper verification. The issue has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity and no privileges required (Wordfence).

The primary impact of this vulnerability is the potential for unauthorized modification of data, specifically allowing attackers to subscribe users to tags without authentication. This can lead to financial consequences for site owners if their API quota is exceeded due to unauthorized tag subscriptions (NVD).

Site administrators should update their ConvertKit plugin to a version newer than 2.4.9, which contains the security fix for this vulnerability (NVD).