CVE-2024-54217: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Repute info systems ARForms, affecting versions through 6.4.1. The vulnerability was reported by Dave Jong from Patchstack on February 25, 2024, and was publicly disclosed on December 2, 2024. The issue was assigned CVE-2024-54217 and received a CVSS v3.1 base score of 5.4 (Medium) (Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and has been assigned a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, and low privileges to exploit. The scope is unchanged, with low impacts on integrity and availability but no impact on confidentiality (NVD, Patchstack).

The vulnerability allows users with subscriber-level privileges to modify plugin settings, which should normally be restricted to higher privilege levels. This security issue has been categorized as having a low severity impact, though it still presents a risk to affected systems (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators using the affected versions of ARForms are advised to implement the Patchstack mitigation (Patchstack).