CVE-2023-0993: 
WordPress vulnerability analysis and mitigation

The Shield Security plugin for WordPress (wp-simple-firewall) contained a Missing Authorization vulnerability in versions prior to 17.0.18. The vulnerability was discovered by Ramuel Gall and was disclosed on April 25, 2023, identified as CVE-2023-0993. The issue affected the 'theme-plugin-file' AJAX action, which lacked proper authorization controls (Wordfence Blog, WPScan).

The vulnerability stems from missing authorization checks in the 'theme-plugin-file' AJAX action. This security flaw allows any authenticated user, including those with subscriber-level access, to call the affected endpoint and create arbitrary audit log entries. The vulnerability has been assigned a CVSS score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Wordfence Blog).

The vulnerability allows authenticated users with low-privilege roles (such as subscribers) to add arbitrary audit log entries to the system. Additionally, due to insufficient escaping of some entry metadata, this could potentially lead to Stored Cross-Site Scripting (XSS) attacks (WPScan).

The vulnerability has been patched in Shield Security version 17.0.18. Site administrators are strongly advised to update to this version or later to address the security issue (WPScan).