CVE-2024-43253: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Zaytech Smart Online Order for Clover plugin versions up to 1.5.6. The vulnerability was reported by Dhabaleshwar Das on February 16, 2024, and was publicly disclosed on August 12, 2024, receiving the identifier CVE-2024-43253. The vulnerability allows accessing functionality not properly constrained by Access Control Lists (ACLs) (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) where there is a missing authorization, authentication, or nonce token check in a function that could allow an unprivileged user to execute certain higher privileged actions. The vulnerability has received different CVSS v3.1 scores: NIST assigned a Critical score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Patchstack assigned a Medium score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) (NVD, Patchstack).

The vulnerability has been assessed as having a low severity impact and is considered unlikely to be exploited. However, if exploited, it could allow unauthorized users to access functionality that should be restricted by access controls (Patchstack).

The vulnerability has been fixed in version 1.5.7 of the Smart Online Order for Clover plugin. Users are advised to update to this version or later to remove the vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).