CVE-2023-0441: 
WordPress vulnerability analysis and mitigation

CVE-2023-0441 affects the Gallery Blocks with Lightbox WordPress plugin versions below 3.0.8. The vulnerability was discovered and publicly disclosed on March 6, 2023. This security issue impacts the simply-gallery-block WordPress plugin, allowing authenticated users with subscriber-level access to perform unauthorized actions (WPScan).

The vulnerability stems from an AJAX endpoint in the plugin that can be accessed by any authenticated users, including those with subscriber privileges. The callback function permits various actions, with the most critical being the ability to read and update WordPress options. The vulnerability has been assigned a CVSS score of 8.8 (High) and is classified as a CWE-862 (Missing Authorization) issue. It falls under the OWASP Top 10 category A5: Broken Access Control (WPScan).

The most severe impact of this vulnerability is that it could be exploited to enable user registration with a default administrator role. This means that an authenticated attacker with minimal privileges (subscriber level) could potentially create new administrator accounts, effectively compromising the entire WordPress installation (WPScan).

The vulnerability has been fixed in version 3.0.8 of the Gallery Blocks with Lightbox plugin. Users are advised to update to this version or later to protect their WordPress installations (WPScan).