CVE-2024-43223: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in EventPrime Events WordPress plugin versions through 4.0.3.2. The vulnerability was reported on July 31, 2024, by security researcher Trương Hữu Phúc and was assigned CVE-2024-43223. The issue relates to incorrectly configured access control security levels in the EventPrime plugin (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue requires Subscriber-level privileges to exploit and stems from missing authorization checks in certain plugin functions (Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to the broken access control implementation. The CVSS scoring indicates that while the vulnerability has network accessibility, it only results in low impact to integrity with no impact on confidentiality or availability (Patchstack).

The vulnerability has been fixed in EventPrime version 4.0.4.0. Users are advised to update to this version or later to remediate the issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks (Patchstack).