CVE-2024-6624: 
WordPress vulnerability analysis and mitigation

The JSON API User plugin for WordPress (CVE-2024-6624) contains a critical privilege escalation vulnerability affecting all versions up to and including 3.9.3. The vulnerability was discovered and disclosed on July 11, 2024, impacting WordPress installations with both the JSON API User plugin and the JSON API plugin installed (NVD CVE).

The vulnerability stems from improper controls on custom user meta fields, receiving a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates the highest severity level, requiring no privileges or user interaction for exploitation, and potentially resulting in complete system compromise (Wordfence Report).

The vulnerability allows unauthenticated attackers to register themselves as administrators on affected WordPress sites, potentially leading to complete site compromise. This level of access could enable attackers to modify site content, install malicious plugins, access sensitive information, and potentially compromise the entire WordPress installation (NVD CVE).

A patch has been released in version 3.9.4 of the JSON API User plugin. Site administrators are strongly advised to update to this latest version immediately. The vulnerability can be tracked through the WordPress plugin repository where the fix has been implemented (WordPress Patch).