CVE-2023-0911: 
WordPress vulnerability analysis and mitigation

The WordPress Shortcodes Plugin — Shortcodes Ultimate before version 5.12.8 contains a sensitive data disclosure vulnerability (CVE-2023-0911). The vulnerability was discovered and publicly disclosed on February 27, 2023. The plugin fails to properly validate user meta retrieval via the user shortcode, potentially exposing sensitive user information (WPScan).

The vulnerability allows any authenticated users, including those with subscriber-level access, to retrieve arbitrary user meta information (except for user_pass) such as user email and activation keys. The issue has been assigned a CVSS score of 4.3 (medium) and is classified as CWE-200 (Sensitive Data Disclosure). It aligns with OWASP Top 10 category A3: Sensitive Data Exposure (WPScan).

When exploited, the vulnerability allows authenticated users to access sensitive user metadata, including email addresses and activation keys, of other users on the WordPress installation. This unauthorized access to user information could potentially be used for further attacks or user privacy violations (WPScan).

The vulnerability has been fixed in version 5.12.8 of the Shortcodes Ultimate plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).