CVE-2023-1874: 
WordPress vulnerability analysis and mitigation

CVE-2023-1874 affects the WP Data Access plugin for WordPress in versions up to and including 5.3.7. The vulnerability was discovered in April 2023 and allows authenticated users with minimal permissions to escalate their privileges to administrator level when the 'Enable role management' feature is enabled (WPScan, Wordfence).

The vulnerability stems from insufficient authorization checks in the multiplerolesupdate function of the plugin. When the 'Enable role management' setting is enabled, authenticated users can manipulate the wpda_role[] parameter during a profile update to modify their user roles without proper authorization. The vulnerability has been assigned a CVSS score of 7.5 (High) with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (TheSecMaster).

When exploited, this vulnerability allows authenticated users with minimal permissions (such as subscribers) to elevate their privileges to administrator level. This could lead to unauthorized access to sensitive site features and data, potentially resulting in complete control over the affected website (TheSecMaster).

The vulnerability was patched in version 5.3.8 of the WP Data Access plugin, released on April 6, 2023. Site administrators should update to this version or later immediately. As an additional security measure, it is recommended to disable the 'Role Management' setting if it is not necessary for site operations (TheSecMaster).