CVE-2023-28498: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in MotoPress Hotel Booking Lite plugin versions 4.6.0 and below. The vulnerability was reported on March 16, 2023, and was assigned CVE-2023-28498. This security issue affects WordPress installations using the vulnerable versions of the Hotel Booking Lite plugin (Patchstack).

The vulnerability stems from the plugin's lack of CSRF protection when updating its settings. The issue has been assigned CWE-352 (Cross-Site Request Forgery). The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack assessed it with a CVSS score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability could allow attackers to make a logged-in administrator change plugin settings via a CSRF attack. This could potentially lead to unauthorized modifications of the plugin's configuration (WPScan).

The vulnerability has been fixed in version 4.7.0 of the Hotel Booking Lite plugin. Users are advised to update to this version or later to remove the vulnerability (WPScan).