CVE-2022-1603: 
WordPress vulnerability analysis and mitigation

The Mail Subscribe List WordPress plugin versions prior to 2.1.4 contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2022-1603. The vulnerability was discovered and reported by Daniel Ruf on May 26, 2022, and has been assigned a CVSS score of 4.3 (medium) (WPScan).

The vulnerability exists due to the absence of CSRF protection mechanisms when deleting subscribed users from the mailing list. The plugin fails to implement proper CSRF checks during the user deletion process, which can be exploited through a simple form submission (WPScan). The vulnerability has been classified under CWE-352 and aligns with the OWASP Top 10 category A2: Broken Authentication and Session Management.

An attacker can exploit this vulnerability to make a logged-in administrator unknowingly delete arbitrary users from the subscribed list. This could lead to unauthorized removal of subscribers from the mailing list, potentially disrupting communication with legitimate subscribers (WPScan).

The vulnerability has been fixed in version 2.1.4 of the Mail Subscribe List plugin. Users are strongly recommended to update to this version or later to protect against potential CSRF attacks (WPScan).