CVE-2024-8247: 
WordPress vulnerability analysis and mitigation

The Newsletters plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-8247) affecting all versions up to and including 4.9.9.2. The vulnerability was discovered and disclosed in September 2024, impacting WordPress installations using the Newsletters plugin (NVD).

The vulnerability stems from the plugin's failure to properly restrict what user meta can be updated as screen options. This implementation flaw has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security issue with potential for complete system compromise (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to escalate their privileges to administrator level. This could result in complete system compromise, as administrator privileges grant full control over the WordPress installation (NVD).

Users should update to version 4.9.9.3 or later of the Newsletters plugin. Until the update can be applied, administrators should review and restrict access to the Sent & Draft Emails page of the plugin to prevent potential exploitation (NVD).