CVE-2024-49644: 
WordPress vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2024-49644) was discovered in the WordPress Accessibility by AllAccessible plugin, affecting versions up to 1.3.4. The vulnerability was reported by security researcher Kévin Mosbahi (Mika) on October 28, 2024, and was publicly disclosed on January 3, 2025. This security issue allows authenticated users with subscriber-level access or higher to escalate their privileges (Patchstack).

The vulnerability has been classified as an Incorrect Privilege Assignment (CWE-266) with a CVSS v3.1 score of 8.8 (High). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs low privileges, requires no user interaction, and can result in high impacts to confidentiality, integrity, and availability (Patchstack).

The vulnerability could allow malicious actors to escalate their low-privileged accounts to higher privilege levels, potentially leading to full control of the website if administrative privileges are gained. This type of vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

The vulnerability has been fixed in version 1.3.5 of the Accessibility by AllAccessible plugin. Users are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).