CVE-2024-10673

Name of the Vulnerable Software and Affected Versions Top Store theme for WordPress versions up to, and including, 1.5.4

Description The issue is related to unauthorized arbitrary plugin installation due to a missing capability check on the top store install and activate callback() function. This allows authenticated attackers, with subscriber-level access and above, to install arbitrary plugins, which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution.

Recommendations For versions up to, and including, 1.5.4, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the top store install and activate callback() function to minimize the risk of exploitation. Additionally, restrict the installation of arbitrary plugins to prevent potential elevation of privileges and remote code execution.