CVE-2024-7721: 
WordPress vulnerability analysis and mitigation

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress contains a vulnerability (CVE-2024-7721) due to a missing capability check on the 'save_password' function in versions up to and including 2.5.34. This security issue was discovered and disclosed in September 2024 (NVD).

The vulnerability stems from insufficient authorization controls in the plugin's 'save_password' function. The security flaw has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating a relatively moderate severity level. The issue is classified as CWE-862: Missing Authorization (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to manipulate certain plugin options. Specifically, attackers can set any options that are not explicitly checked as false to an array, including the ability to enable user registration even when it has been deliberately disabled by administrators (NVD).

A patch has been released to address this vulnerability. Users are advised to update their HTML5 Video Player plugin to a version newer than 2.5.34 (WordPress Plugin).