CVE-2024-6120: 
WordPress vulnerability analysis and mitigation

CVE-2024-6120 affects the Sparkle Demo Importer plugin for WordPress, versions up to and including 1.4.7. The vulnerability was discovered and disclosed on June 21, 2024, and involves a missing capability check that allows unauthorized database reset and demo data import functionality (NVD).

The vulnerability stems from missing authorization checks on multiple functions within the plugin. This security flaw has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The issue is classified as CWE-862 (Missing Authorization) (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to perform unauthorized actions including deletion of all posts, pages, and uploaded files. Additionally, attackers can download and install a limited set of demo plugins, potentially compromising the website's integrity (NVD).

Website administrators running affected versions of the Sparkle Demo Importer plugin should update to a version newer than 1.4.7 when available. Until then, it is recommended to review and restrict user access levels to minimize potential exploitation (NVD).