CVE-2023-2351: 
WordPress vulnerability analysis and mitigation

CVE-2023-2351 affects the WP Directory Kit plugin for WordPress versions up to and including 1.2.3. The vulnerability was discovered and disclosed on June 12, 2023, and involves a missing capability check on the 'ajax_admin' function that allows unauthorized modification of plugin data (NVD).

The vulnerability stems from a missing capability check in the 'ajax_admin' function, which allows authenticated attackers with subscriber-level permissions or higher to perform unauthorized actions. The vulnerability has received a CVSS v3.1 base score of 6.5 (Medium) from Wordfence and 4.3 (Medium) from NIST, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers to delete or modify plugin settings, import demo data, delete Directory Kit related posts and terms, and install arbitrary plugins. A partial patch was introduced in version 1.2.0, but the complete fix wasn't implemented until version 1.2.4 (NVD).

Users should upgrade to WP Directory Kit version 1.2.4 or later which contains the complete fix for this vulnerability. The vulnerability was partially addressed in version 1.2.0, but the complete patch wasn't implemented until version 1.2.4 (NVD).