CVE-2024-39623: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in CridioStudio's ListingPro WordPress theme, affecting versions through 2.9.4. The vulnerability was identified with CVE-2024-39623 and was publicly disclosed on July 22, 2024. This security issue affects the WordPress theme ListingPro and allows potential authentication bypass (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation on a function within the ListingPro theme. It has been assigned CWE-352 (Cross-Site Request Forgery) and received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (WPScan, Patchstack).

The vulnerability enables unauthenticated attackers to potentially take over user accounts through forged requests. The attack can be successful if the attacker can trick a site administrator into performing specific actions, such as clicking on a malicious link. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (Patchstack).

The vulnerability has been patched in ListingPro version 2.9.5. Users are advised to update to this version or later to remove the vulnerability. Despite the high CVSS score, Patchstack has classified this as a low-priority issue that is unlikely to be exploited (Patchstack).