CVE-2024-49605: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Avchat.Net AVChat Video Chat plugin for WordPress, which allows for Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects all versions of AVChat Video Chat up to and including version 2.2. This security issue was disclosed on October 18, 2024, and was assigned the identifier CVE-2024-49605 (Patchstack).

The vulnerability has received varying CVSS scores from different sources. The National Vulnerability Database (NVD) assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The security issue has been assessed to have a low to medium severity impact, though specific impacts may vary case by case (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. The virtual patch provides temporary protection while waiting for a permanent solution (Patchstack).