CVE-2023-0453: 
WordPress vulnerability analysis and mitigation

The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before version 1.0.6 contains a vulnerability where private messages can be accessed by unauthorized users. The vulnerability was discovered and publicly disclosed on January 30, 2023. This security issue affects the private messaging functionality of WordPress installations using the affected plugin versions (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue, where the plugin fails to properly validate that private messages belong to the user making the request. This allows any authenticated user to access private messages belonging to other users by simply manipulating the message ID parameter. The vulnerability has been assigned a CVSS score of 4.3 (medium) and is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) (WPScan).

The vulnerability allows any authenticated user to access private messages that belong to other users on the system. This can lead to unauthorized access to potentially sensitive or confidential information exchanged through private messages on the platform (WPScan).

The vulnerability has been fixed in version 1.0.6 of the WP Private Message plugin. Users are strongly advised to update to this version or later to protect against unauthorized access to private messages (WPScan).