CVE-2023-35038: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the wpexperts.Io WP PDF Generator WordPress plugin, affecting versions 1.2.2 and below. The vulnerability was reported on May 3, 2023, and publicly disclosed on June 13, 2023. The issue was assigned CVE-2023-35038 and has been patched in version 1.2.3 (Patchstack).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue, identified as CWE-352. It received varying CVSS scores from different sources: NIST assigned a high severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rated it as medium severity with a score of 5.4. The vulnerability falls under the OWASP Top 10 category A5: Broken Access Control (NVD, WPScan).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The attack can be initiated by an unauthenticated user, potentially leading to unauthorized actions being performed on behalf of authenticated administrators (Patchstack).

The vulnerability has been patched in version 1.2.3 of the WP PDF Generator plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).