CVE-2023-0684: 
WordPress vulnerability analysis and mitigation

The Wicked Folders plugin for WordPress (versions up to and including 2.18.16) was identified with a vulnerability tracked as CVE-2023-0684. The vulnerability was discovered and publicly disclosed on February 7, 2023. This security issue affects the plugin's folder management functionality, specifically in the ajaxunassignfolders function (NVD).

The vulnerability is classified as an authorization bypass due to a missing capability check in the ajaxunassignfolders function. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, while Wordfence assessed it with a slightly higher score of 5.4 (Medium). The vulnerability is categorized under CWE-862 (Missing Authorization) (NVD, WPScan).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to perform administrative actions related to the plugin's folder structure. This includes the ability to modify, move, delete, or create folders, which should normally be restricted to administrators (NVD).

The vulnerability has been patched in version 2.18.17 of the Wicked Folders plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).