CVE-2023-2173: 
WordPress vulnerability analysis and mitigation

The BadgeOS WordPress plugin (versions up to 3.7.1.6) contains an Insecure Direct Object Reference vulnerability (CVE-2023-2173). The vulnerability exists due to improper validation and authorization checks within multiple handler functions including badgeosdeletestepajaxhandler, badgeosdeleteawardstepajaxhandler, badgeosdeletedeductstepajaxhandler, and badgeosdeleterankreqstepajaxhandler. This security flaw allows authenticated attackers with subscriber-level permissions or higher to delete arbitrary posts (NVD).

The vulnerability has received a CVSS v3.1 base score of 6.5 (Medium) from Wordfence with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, while the NVD assigned a score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability stems from insufficient security controls in the plugin's AJAX handlers that manage step deletion functionality, allowing authenticated users to bypass intended access restrictions (NVD).

When exploited, this vulnerability allows authenticated attackers with subscriber-level permissions or higher to delete arbitrary posts within the WordPress installation. This can lead to unauthorized modification of site content and potential disruption of site functionality (NVD).

Users should update the BadgeOS plugin to a version newer than 3.7.1.6. The vulnerability has been patched in the plugin's source code, as evidenced by multiple patch files (Patch).