CVE-2024-43272: 
WordPress vulnerability analysis and mitigation

A Missing Authentication for Critical Function vulnerability was discovered in the WordPress Icegram Engage plugin versions up to 3.1.24. The vulnerability, identified as CVE-2024-43272, allows unauthorized access to functionality not properly constrained by Access Control Lists (ACLs). The issue was disclosed on August 19, 2024, and affects the Icegram plugin through version 3.1.24 (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is categorized under CWE-306 (Missing Authentication for Critical Function) and allows unauthenticated users to access certain functionality that should be restricted (Patchstack).

The vulnerability allows unauthenticated users to view unpublished campaigns, potentially exposing sensitive information that should be restricted. The impact is primarily focused on confidentiality with a low severity rating (Patchstack).

The vulnerability has been fixed in version 3.1.25 of the Icegram plugin. Users are advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).