CVE-2024-8199: 
WordPress vulnerability analysis and mitigation

The Reviews Feed WordPress plugin (versions up to 1.1.2) contains a vulnerability identified as CVE-2024-8199, discovered and disclosed on August 27, 2024. This vulnerability affects the plugin's functionality that handles testimonials and customer reviews from various platforms including Google Reviews, Yelp, and TripAdvisor. The issue stems from a missing capability check in the 'update_api_key' function (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (Medium). The technical root cause is attributed to a missing capability check in the 'update_api_key' function, which fails to properly validate user permissions. The vulnerability vector is described as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to modify API Key options without proper authorization. This unauthorized access to API key settings could potentially lead to unauthorized modifications of the plugin's configuration (NVD).

A patch has been released to address this vulnerability. Users are advised to update their Reviews Feed plugin to version 1.2.0 or later which includes the security fix (Wordfence).