CVE-2024-9192: 
WordPress vulnerability analysis and mitigation

The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-9192) due to insufficient validation on user meta that can be updated in the wpvrraterequest_result() function. This vulnerability affects all versions up to and including 1.20.0. The issue was disclosed on November 15, 2024 (NVD).

The vulnerability stems from insufficient validation of user meta data in the wpvrraterequest_result() function. The security flaw allows authenticated attackers with subscriber-level access or higher to update their user meta on WordPress sites. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk (NVD).

The vulnerability allows authenticated attackers to escalate their privileges to administrator level by manipulating their user capabilities through the user meta update functionality. This gives attackers full administrative access to the WordPress site, potentially compromising the entire website's security (NVD).

Website administrators running the WordPress Video Robot plugin should immediately update to a version newer than 1.20.0 if available. If no patch is available, it is recommended to disable the plugin until a security update is released (NVD).