CVE-2024-43310: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2024-43310) was discovered in UkrSolution's Print Barcode Labels for your WooCommerce plugin, affecting versions up to 3.4.9. The vulnerability was identified on August 16, 2024, by security researcher Muhammad Daffa and involves broken access control issues in the plugin's functionality (Patchstack).

The vulnerability stems from a missing capability check on the search() function, which allows authenticated attackers with subscriber-level access and above to search for labels without proper authorization. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned it a score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (WPScan, NVD).

The vulnerability allows authenticated users with subscriber-level privileges to perform unauthorized searches for labels, potentially exposing sensitive information. This broken access control issue could lead to unauthorized access to label data within the WooCommerce system (Patchstack).

Users are advised to update to version 3.4.10 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).