CVE-2023-0814: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2023-0814 affects the Profile Builder WordPress plugin versions up to 3.9.0. This security flaw is related to missing authorization within the wppbtoolboxusermeta_handler() function, which could allow unauthorized access to sensitive user metadata (Wordfence Blog, WPScan).

The vulnerability exists due to insufficient validation of meta values retrieved via the usermeta shortcode. When the usermeta shortcode is enabled, any authenticated user, including those with subscriber-level access, can potentially access sensitive user metadata. The issue was assigned a CVSS score of 5.3 (medium) and is classified as a Sensitive Data Disclosure vulnerability, falling under the OWASP Top 10 category A3: Sensitive Data Exposure (WPScan).

The vulnerability allows authenticated users with low-privilege access levels (such as subscribers) to retrieve sensitive user metadata when the user_meta shortcode is enabled. This information disclosure could potentially lead to unauthorized access to sensitive user information (WPScan).

The vulnerability has been patched in version 3.9.1 of the Profile Builder plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).