CVE-2024-9626: 
WordPress vulnerability analysis and mitigation

The Editorial Assistant by Sovrn plugin for WordPress contains a vulnerability (CVE-2024-9626) related to unauthorized modification of data. The vulnerability affects versions up to and including 1.3.3, and stems from a missing capability check in the 'ajaxzemantasetfeaturedimage' function. This security flaw was discovered and disclosed on October 25, 2024 (NVD).

The vulnerability is caused by a missing authorization check in the 'ajaxzemantasetfeaturedimage' function. The issue has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness has been classified as CWE-862 (Missing Authorization) (NVD, Wordfence).

The vulnerability allows authenticated attackers with subscriber-level access or higher to upload attachment files (including jpg, png, txt, zip) and set post featured images without proper authorization. This could lead to unauthorized modification of website content (NVD).

Users should update to a version newer than 1.3.3 once available. In the meantime, site administrators should review and potentially restrict subscriber-level access to minimize the risk (NVD).