CVE-2023-32299: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the Ni WooCommerce Sales Report WordPress plugin, tracked as CVE-2023-32299. The vulnerability affects versions through 3.7.3 of the plugin and involves incorrectly configured access control security levels. The issue was initially reported on May 6, 2023, and was publicly disclosed on October 25, 2023 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 6.5 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating that the vulnerability is network-accessible, requires low attack complexity, needs low privileges, requires no user interaction, and has a high impact on confidentiality but no impact on integrity or availability (Patchstack).

The vulnerability allows an unprivileged user to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. This broken access control issue is considered highly dangerous and is expected to become mass exploited (Patchstack).

The vulnerability has been fixed in version 3.7.4 of the Ni WooCommerce Sales Report plugin. Users are advised to update to version 3.7.4 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).