CVE-2023-0335: 
WordPress vulnerability analysis and mitigation

CVE-2023-0335 affects the WordPress plugin WP Shamsi versions 4.3.3 and below. The vulnerability was discovered and publicly disclosed on February 28, 2023. This security issue combines CSRF (Cross-Site Request Forgery) and broken access control vulnerabilities that affect WordPress installations using the WP Shamsi plugin (WPScan).

The vulnerability allows users with subscriber-level permissions to delete attachments from the WordPress installation, which should normally be restricted to higher privilege levels. The issue has been assigned a CVSS score of 4.3 (Medium) and is classified under CWE-862 (Missing Authorization). The vulnerability specifically involves the mishandling of attachment deletion functionality through the admin-ajax.php endpoint (WPScan).

When exploited, this vulnerability allows authenticated users with subscriber-level access (the lowest privilege level in WordPress) to delete any attachment files from the WordPress media library. This can lead to content loss and potential disruption of website functionality (WPScan).

As of the last update, there is no known fix available for this vulnerability. Website administrators using WP Shamsi plugin version 4.3.3 or below should consider either removing the plugin or implementing additional access controls at the web server level to restrict access to the affected functionality (WPScan).