CVE-2023-35093: 
WordPress vulnerability analysis and mitigation

A Broken Access Control vulnerability was identified in StylemixThemes MasterStudy LMS WordPress Plugin (CVE-2023-35093), affecting versions 3.0.8 and below. The vulnerability was discovered by Rafshanzani Suhada and publicly disclosed on June 15, 2023. This security flaw allows any authenticated users, including those with subscriber-level privileges, to view the 'Orders' section of the plugin and access sensitive order-related data such as email addresses and usernames (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 6.5 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and requiring low privileges. The vulnerability stems from missing authorization controls in the plugin's functionality (NVD).

The exploitation of this vulnerability allows authenticated users with subscriber-level access to view order information, potentially exposing sensitive customer data including email addresses and usernames. This unauthorized access to order data represents a significant privacy concern for e-learning platforms using the affected plugin (Patchstack).

The vulnerability has been patched in version 3.0.9 of the MasterStudy LMS plugin. Site administrators are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).