CVE-2024-50466: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the DarkMySite – Advanced Dark Mode Plugin for WordPress, affecting versions up to and including 1.2.8. The vulnerability was identified on October 24, 2024, and was assigned CVE-2024-50466. The issue stems from missing or incorrect nonce validation on one of its functions (WPScan, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack assessed it with a score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability makes it possible for unauthenticated attackers to invoke vulnerable functions via forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (WPScan).

As of the vulnerability disclosure, no official fix is available for this security issue. The vulnerability affects all versions up to and including 1.2.8 of the DarkMySite plugin (Patchstack).

The vulnerability was initially discovered and reported by security researcher SOPROBRO on September 15, 2024. Patchstack issued an early warning to their customers on October 24, 2024, before publishing the vulnerability details on October 26, 2024 (Patchstack).