CVE-2024-43256: 
WordPress vulnerability analysis and mitigation

The Leopard - WordPress Offload Media plugin for WordPress contains a Missing Authorization vulnerability (CVE-2024-43256) that affects versions up to and including 2.0.36. The vulnerability was discovered by Dave Jong and publicly disclosed on August 12, 2024. This security issue allows authenticated users with Subscriber-level access and above to modify plugin settings without proper authorization (WPScan, Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H. The issue stems from a missing capability check on a function that handles plugin settings, allowing lower-privileged users to access functionality that should be restricted to administrators (Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to modify the plugin's settings, potentially leading to unauthorized changes in the media offload configuration. This could result in disruption of media handling functionality and potential availability issues for the affected WordPress installation (WPScan).

Users are advised to update to version 3.1.2 or later of the Leopard - WordPress offload media plugin, which contains a fix for this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).