CVE-2024-9522: 
WordPress vulnerability analysis and mitigation

The WP Users Masquerade plugin for WordPress (versions up to 2.0.0) contains an authentication bypass vulnerability identified as CVE-2024-9522. The vulnerability was discovered by István Márton and publicly disclosed on October 9, 2024. The issue stems from incorrect authentication and capability checking in the 'ajaxmasqlogin' function (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The security flaw is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The vulnerability exists in the authentication mechanism of the plugin's 'ajaxmasqlogin' function (Wordfence).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to log in as any existing user on the site, including administrators. This represents a significant security risk as it enables privilege escalation and unauthorized access to administrative functions (NVD).

Users should immediately update their WP Users Masquerade plugin to a version newer than 2.0.0 if available. If an update is not available, it is recommended to disable or remove the plugin until a security patch is released (NVD).