CVE-2023-31215: 
WordPress vulnerability analysis and mitigation

The CVE-2023-31215 affects the Dropshipping & Affiliation with Amazon WordPress plugin versions up to and including 2.1.2. This vulnerability is classified as an Unrestricted Upload of File with Dangerous Type, discovered and reported by researcher spacecroupier on April 26, 2023, and publicly disclosed on October 3, 2023 (Patchstack, WPScan).

The vulnerability exists due to missing file type validation on files imported from a URL via the wpas_import_product_from_amazon() function called via an AJAX action. The severity of this vulnerability is rated as CRITICAL with a CVSS v3.1 base score of 9.9 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) according to Patchstack, while NVD rates it as HIGH with a CVSS score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (Patchstack).

The vulnerability allows authenticated attackers with subscriber-level access or higher to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution, giving attackers significant control over the compromised website (WPScan).

As of the latest reports, there is no known official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).