CVE-2024-44006: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in OnTheGoSystems WooCommerce Multilingual & Multicurrency plugin affecting versions through 5.3.6. The vulnerability was reported on July 25, 2024, and publicly disclosed on September 16, 2024. The issue relates to incorrectly configured access control security levels in the WordPress plugin (Patchstack).

The vulnerability has been assigned CVE-2024-44006 and is classified as CWE-862 (Missing Authorization). The National Vulnerability Database (NVD) has assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack assessed it with a CVSS score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows for broken access control, which could enable an unprivileged user to execute certain higher privileged actions. The specific impact varies case by case, though it has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).

The vulnerability has been fixed in version 5.3.7 of the WooCommerce Multilingual & Multicurrency plugin. Users are advised to update to version 5.3.7 or later to remove the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).