CVE-2023-23706: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin versions 7.5.14 and below. The vulnerability was publicly disclosed on February 15, 2023, and was assigned CVE-2023-23706. The issue was fixed in version 7.5.15 of the plugin (Patchstack, WPScan).

The vulnerability stems from the absence of CSRF protection mechanisms in certain areas of the plugin. The severity of this vulnerability has been assessed with different CVSS scores by various organizations: NIST assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack rated it at 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow attackers to make logged-in administrators perform unwanted actions through CSRF attacks. This security issue could potentially lead to unauthorized actions being executed under the context of a privileged user (Patchstack).

Users are advised to update to version 7.6.0 or later of the WordPress Social Login and Register plugin to remediate this vulnerability. This version includes the necessary security fixes to address the CSRF issue (Patchstack).