CVE-2024-6500: 
WordPress vulnerability analysis and mitigation

CVE-2024-6500 affects the InPost for WooCommerce plugin (versions up to 1.4.0) and InPost PL plugin (versions up to 1.4.4) for WordPress. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on August 16, 2024. The vulnerability stems from a missing capability check on the 'parse_request' function, which exposes these WordPress plugins to unauthorized access and data deletion risks (NVD).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 Base Score of 10.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H). The security flaw exists in the parse_request function implementation, which lacks proper capability checks, allowing unauthorized access to sensitive functionalities (NVD).

The vulnerability allows unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, while all files can be read, only files within the WordPress installation can be deleted. This presents a significant security risk for websites using the affected plugins (NVD).

For the InPost PL plugin, updating to version 1.4.5 or later addresses this vulnerability. However, for the InPost for WooCommerce plugin, there are currently no known patch versions available (ASEC).