CVE-2024-43222: 
WordPress vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-43222) was discovered in the SeventhQueen Sweet Date WordPress theme, affecting versions through 3.7.3. This Missing Authorization vulnerability has been assigned a CVSS score of 9.8, indicating its critical severity. The theme, which has approximately 10,000 sales, is a popular premium WordPress theme designed specifically for dating websites (Patchstack Article, Security Online).

The vulnerability stems from insufficient security measures in the wpajaxfbintialize function, which lacks proper authorization and nonce checks when handling user input. The code fails to verify if the user calling the action with a $userID parameter is the legitimate owner of the account, enabling unauthorized password resets for any account (Patchstack Article).

Successful exploitation allows attackers to escalate privileges and potentially take complete control of the WordPress site. Attackers can reset passwords for any user account, including administrators, execute arbitrary code on the server, and potentially use compromised sites to distribute malware (Security Online).

The vulnerability has been patched in version 3.8.0 of the Sweet Date theme. The fix involves modifying the code to stop accepting email from user input and instead retrieving it from a logged-in Facebook user object, while also verifying its connection to the WordPress account. Users are strongly advised to update to version 3.8.0 or later immediately (Patchstack Article).