CVE-2023-0726: 
WordPress vulnerability analysis and mitigation

The Wicked Folders plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 2.18.16, identified as CVE-2023-0726. The vulnerability was discovered and disclosed on February 7, 2023. The issue affects the ajaxeditfolder function due to missing or incorrect nonce validation (NVD).

The vulnerability stems from improper security controls in the ajaxeditfolder function within the plugin's codebase. The CVSS v3.1 base score is 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N according to NVD's assessment. Wordfence rates it slightly higher at 5.4 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to perform administrative actions by tricking site administrators into clicking malicious links. Specifically, attackers can manipulate the folder structure maintained by the plugin when an administrator performs certain actions (NVD).

Users should update the Wicked Folders plugin to a version newer than 2.18.16 to address this vulnerability. The fix involves proper implementation of nonce validation in the ajaxeditfolder function (NVD).