CVE-2023-35037: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in Surfer plugin versions up to 1.3.2.357. The vulnerability was discovered by Jonas Höbenreich and was assigned CVE-2023-35037. The issue was reported on June 9, 2023, and publicly disclosed on September 1, 2023. This security flaw affects the WordPress Surfer plugin, allowing potential exploitation of incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS score of 7.6 (High severity). The security flaw stems from missing authorization, authentication, or nonce token checks in certain functions, potentially allowing unprivileged users to execute higher privileged actions (Patchstack).

This vulnerability is considered highly dangerous and is expected to become mass exploited. The broken access control issue could allow unprivileged users to perform actions that should be restricted to users with higher privileges (Patchstack).

The vulnerability has been fixed in version 1.3.3.379 of the Surfer plugin. Users are strongly advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).