CVE-2024-7501: 
WordPress vulnerability analysis and mitigation

The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2024-7501. The vulnerability affects all versions up to and including 1.8.7, with the discovery and disclosure occurring in August 2024 (NVD).

The vulnerability stems from missing or incorrect nonce validation in the download_theme() function. This security flaw has been assigned a CVSS v3.1 base score of 4.2 (Medium), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

If exploited, this vulnerability allows unauthenticated attackers to download arbitrary themes from the website via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6, the vulnerability was more severe as it allowed attackers to download the entire site's files (NVD).

Website administrators are advised to update the Download Plugins and Themes in ZIP from Dashboard plugin to version 1.8.8 or later, which includes the security fix. The fix can be verified in the plugin's changelog (WordPress Plugin).