CVE-2024-54402: 
WordPress vulnerability analysis and mitigation

The Arabic Webfonts WordPress plugin contains a Missing Authorization vulnerability (CVE-2024-54402) that affects all versions up to and including 1.4.6. The vulnerability was discovered by Marek Mikita and publicly disclosed on December 12, 2024. The issue stems from missing authorization controls in the Jozoor Arabic Webfonts plugin, which allows for exploiting incorrectly configured access control security levels (WPScan, Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The security issue arises from a missing capability check on a function, which affects the access control mechanism of the plugin (Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform unauthorized actions within the WordPress installation. This represents a broken access control issue that could potentially lead to unprivileged users executing certain higher privileged actions (WPScan).

As of the vulnerability disclosure, no official fix has been made available for this security issue. Given the low severity impact, Patchstack has indicated that a virtual patch is unnecessary (Patchstack).