CVE-2024-54289: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the Awesome Support WordPress plugin, affecting versions up to 6.3.0. The vulnerability was discovered by researcher Trương Hữu Phúc and was publicly disclosed on December 11, 2024. The issue allows exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and no user interaction. The scope is unchanged, with high confidentiality impact but no impact on integrity or availability (Patchstack).

The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control. It allows unprivileged users to execute certain higher privileged actions, potentially compromising the confidentiality of the affected system. The vulnerability requires subscriber-level privileges to exploit (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the mitigation immediately (Patchstack).