CVE-2024-50500: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the Shortcodes and extra features for Phlox theme WordPress plugin, affecting versions through 2.17.2. The vulnerability was discovered by Rafie Muhammad and was assigned CVE-2024-50500. The issue was reported on July 17, 2024, and publicly disclosed on January 31, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) that stems from missing authorization checks. It received a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability requires a low privilege level (Subscriber) to exploit (Patchstack, NVD).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to incorrectly configured access control security levels. The impact is considered low severity and is unlikely to be exploited in most scenarios (Patchstack).

As of February 2025, no official fix has been released for this vulnerability. The issue affects versions up to 2.17.4, and Patchstack has indicated that a virtual patch is unnecessary due to the low severity of the vulnerability (Patchstack).