CVE-2024-50456: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in SEOPress WordPress plugin, identified as CVE-2024-50456. The vulnerability affects SEOPress versions through 8.1.1 and involves incorrectly configured access control security levels. The issue was discovered by Rafie Muhammad and was publicly disclosed on October 24, 2024 (Patchstack).

The vulnerability is classified as a broken access control issue, which stems from missing authorization, authentication, or nonce token checks in certain functions. This allows unprivileged users to execute higher privileged actions. The vulnerability has received varying CVSS scores: NIST assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack rated it at 5.4 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The vulnerability is categorized under CWE-862 (Missing Authorization) (NVD).

According to the severity assessments, the vulnerability could potentially lead to unauthorized access and execution of privileged actions. The varying CVSS scores indicate different interpretations of the potential impact, with NIST suggesting high potential for confidentiality, integrity, and availability breaches, while Patchstack indicates a lower impact on these security aspects (NVD, Patchstack).

The vulnerability has been fixed in SEOPress version 8.2. Users are advised to update to version 8.2 or later to remove the vulnerability. Patchstack has classified this as a low-priority issue and considers it unlikely to be exploited (Patchstack).