CVE-2023-0713: 
WordPress vulnerability analysis and mitigation

The Wicked Folders WordPress plugin (versions up to and including 2.18.16) contains an authorization bypass vulnerability (CVE-2023-0713) discovered in February 2023. The vulnerability affects the ajaxaddfolder function due to missing capability checks, which could allow authenticated users with subscriber-level permissions or higher to perform administrative actions (NVD, WPScan).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 4.3 (Medium) according to NVD, and 5.4 (Medium) according to Wordfence. The security flaw exists in the plugin's folder management functionality, where the ajaxaddfolder function lacks proper authorization checks, enabling unauthorized users to modify the folder structure maintained by the plugin (NVD).

When exploited, this vulnerability allows authenticated attackers with subscriber-level permissions to perform administrative actions such as moving, deleting, and creating folders within the plugin's structure. This could lead to unauthorized modifications of the website's folder organization (WPScan).

The vulnerability has been patched in version 2.18.17 of the Wicked Folders plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan).