CVE-2024-49686: 
WordPress vulnerability analysis and mitigation

The Landing Page Cat WordPress plugin contains a Missing Authorization vulnerability (CVE-2024-49686) that affects versions up to and including 1.7.4. The vulnerability was discovered and reported by researcher Phill Sav (Savphill) on October 21, 2024, and has been fixed in version 1.7.5 (WPScan, Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue, resulting in broken access control. It has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. The security flaw stems from a missing capability check on the custom post type added via the plugin (Patchstack).

The vulnerability allows authenticated attackers with contributor-level access and above to edit and modify landing pages without proper authorization. This represents a broken access control issue that could lead to unauthorized modification of data (WPScan).

The vulnerability has been patched in version 1.7.5 of the Landing Page Cat plugin. Users are advised to update to this version or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).