CVE-2023-0080: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2023-0080 affects the Customer Reviews for WooCommerce plugin versions prior to 5.16.0. The vulnerability was discovered and publicly disclosed on January 23, 2023. It is a Local File Inclusion (LFI) vulnerability that affects WordPress installations using the affected plugin versions (WPScan).

The vulnerability stems from improper validation of a shortcode attribute in the plugin, which enables users with contributor-level permissions or higher to perform traversal attacks for including arbitrary files. The vulnerability has been assigned a CVSS score of 9.1 (Critical) and is classified under CWE-22 (Path Traversal). The issue specifically occurs when the 'Enable shortcodes and Gutenberg blocks' setting is enabled in the Reviews Settings (WPScan).

The vulnerability allows attackers to read non-PHP files and retrieve their content through path traversal. More critically, Remote Code Execution (RCE) could be achieved if an attacker manages to upload a malicious image containing PHP code and then include it via the affected attribute. Users with author privileges or higher can easily achieve this due to their file upload capabilities (WPScan).

The vulnerability has been fixed in version 5.16.0 of the Customer Reviews for WooCommerce plugin. Site administrators should update to this version or later to protect against this vulnerability (WPScan).