CVE-2023-2916: 
WordPress vulnerability analysis and mitigation

The InfiniteWP Client plugin for WordPress (CVE-2023-2916) contains a Sensitive Information Exposure vulnerability affecting versions up to and including 1.11.1. The vulnerability was discovered by István Márton and publicly disclosed on August 14, 2023. This security issue affects the WordPress plugin specifically through the 'admin_notice' function (NVD, WPScan).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to extract sensitive data, including configuration information. The security flaw is specifically tied to the 'admin_notice' function and can only be exploited if the plugin has not been configured yet. The vulnerability has received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H according to Wordfence's assessment (NVD).

If successfully exploited, this vulnerability can lead to the exposure of sensitive configuration data. Furthermore, when combined with another arbitrary plugin installation and activation vulnerability, it could potentially enable attackers to connect a site to InfiniteWP, enabling remote management capabilities and privilege elevation (NVD).

The vulnerability has been patched in version 1.12.1 of the InfiniteWP Client plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).