CVE-2024-44019: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the Contact Form 7 Campaign Monitor Extension WordPress plugin, affecting versions up to 0.4.67. The vulnerability was identified on September 24, 2024, and allows unauthorized access to functionality not properly constrained by Access Control Lists (ACLs) (Patchstack).

The vulnerability has been assigned CVE-2024-44019 and received varying CVSS scores from different sources. The National Vulnerability Database (NVD) rated it as CRITICAL with a CVSS v3.1 base score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Patchstack assessed it as MEDIUM with a score of 5.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability allows unauthenticated users to perform arbitrary file deletion operations on affected WordPress installations. This broken access control issue could potentially lead to unprivileged users executing certain higher privileged actions (Patchstack).

As of the vulnerability disclosure, no official fix has been released for this security issue. The vulnerability affects versions up to 0.4.67 of the Contact Form 7 Campaign Monitor Extension plugin (Patchstack).