CVE-2024-49321: 
WordPress vulnerability analysis and mitigation

The Simple Custom Post Order WordPress plugin contains a Missing Authorization vulnerability (CVE-2024-49321) that was discovered in versions up to and including 2.5.7. The vulnerability was publicly disclosed on October 15, 2024, and allows authenticated users with subscriber-level access to exploit incorrectly configured access control security levels (WPScan, Patchstack).

The vulnerability stems from a missing capability check in the updatemenuorder_tags() function, which enables authenticated attackers with subscriber-level privileges or higher to update order tags without proper authorization. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. It is classified as CWE-862 (Missing Authorization) (WPScan).

The vulnerability allows authenticated users with subscriber-level access to modify data through unauthorized modification of order tags, potentially affecting the content structure and organization of the website (Patchstack).

The vulnerability has been fixed in version 2.5.8 of the Simple Custom Post Order plugin. Users are advised to update to this version or later to remediate the security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).