CVE-2021-4385: 
WordPress vulnerability analysis and mitigation

CVE-2021-4385 affects the WP Private Content Plus WordPress plugin versions up to and including 3.1. The vulnerability was discovered and publicly disclosed on March 1, 2021, affecting the plugin's save_groups() function due to missing or incorrect nonce validation (CVE Details).

The vulnerability is a Cross-Site Request Forgery (CSRF) issue in the save_groups() function of the WP Private Content Plus plugin. The function lacks proper nonce validation, which is a security mechanism designed to prevent CSRF attacks. The vulnerability has been assigned a CVSS score of 8.8 (high severity) (WPScan).

This vulnerability allows unauthenticated attackers to add new group members to the system by tricking authenticated administrators into performing specific actions, such as clicking on malicious links. The successful exploitation could lead to unauthorized access to private content and potential privilege escalation (CVE Details).

The vulnerability has been fixed in version 3.2 of the WP Private Content Plus plugin. Site administrators are strongly advised to update to this version or later to protect against CSRF attacks. If immediate updating is not possible, administrators should be cautious about clicking on unknown links while logged into the WordPress admin panel (WPScan).