CVE-2023-33313: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ThemeinProgress WIP Custom Login plugin versions 1.2.9 and below. The vulnerability was reported on April 26, 2023, by LEE SE HYOUNG and was publicly disclosed on May 22, 2023. The issue affects WordPress installations using the vulnerable plugin versions (Patchstack).

The vulnerability stems from the plugin's failure to implement proper CSRF protections for certain actions. This security flaw has been assigned CVE-2023-33313 and is classified as CWE-352 (Cross-Site Request Forgery). The vulnerability has received varying CVSS scores, with NVD assigning a CVSS v3.1 Base Score of 8.8 (HIGH) and Patchstack rating it at 4.3 (MEDIUM) (NVD, WPScan).

The vulnerability allows an unauthenticated attacker to perform actions on behalf of authenticated users by tricking them into submitting crafted requests. This could potentially lead to unauthorized actions being executed under the context of the victim's authentication level (WPScan).

The vulnerability has been fixed in version 1.3.0 of the WIP Custom Login plugin. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).