CVE-2023-27459: 
WordPress vulnerability analysis and mitigation

CVE-2023-27459 is a Deserialization of Untrusted Data vulnerability affecting the WPEverest User Registration WordPress plugin versions through 2.3.2.1. The vulnerability was discovered and reported by Rafie Muhammad, and was publicly disclosed on March 21, 2023 (Patchstack).

The vulnerability stems from the plugin's unserializing user input via the urgetuserextrafields and userregistrationform_field functions. This issue has been classified as CWE-502 (Deserialization of Untrusted Data). The vulnerability has received a CVSS v3.1 base score of 7.4 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L (WPScan).

The vulnerability could allow authenticated users, including those with subscriber-level access, to perform PHP Object Injection when a suitable gadget is present on the blog. This type of vulnerability could potentially lead to code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present (Patchstack).

The vulnerability has been fixed in version 2.3.3 of the User Registration plugin. Users are advised to update to this version or later to resolve the security issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).