CVE-2024-54379: 
WordPress vulnerability analysis and mitigation

The Minterpress WordPress plugin contains a Missing Authorization vulnerability (CVE-2024-54379) that allows privilege escalation in versions up to and including 1.0.5. The vulnerability was discovered by researcher Mika and publicly disclosed on December 11, 2024. The issue affects the plugin's functionality related to option updates and has received a CVSS v3.1 base score of 8.8 (HIGH) (Patchstack, WPScan).

The vulnerability stems from a missing capability check on a function that handles option updates in the WordPress site. The security flaw is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to update arbitrary options on the WordPress site. Attackers can exploit this to modify critical site settings, including the ability to update the default role for new user registrations to administrator and enable user registration, ultimately leading to unauthorized administrative access to the affected site (WPScan).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement immediate mitigation measures (Patchstack).