CVE-2023-3510: 
WordPress vulnerability analysis and mitigation

The FTP Access WordPress plugin through version 1.0 contains a security vulnerability identified as CVE-2023-3510. The vulnerability was discovered and publicly disclosed on August 21, 2023. This vulnerability affects the plugin's settings functionality and impacts WordPress installations using the FTP Access plugin version 1.0 and earlier (WPScan).

The vulnerability stems from multiple security control failures in the plugin's settings functionality. Specifically, the plugin lacks proper authorization checks, CSRF (Cross-Site Request Forgery) protections, and adequate input sanitization and output escaping in its settings. The vulnerability has been assigned a CVSS score of 8.0 (High), indicating significant severity. The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified under CWE-79 (WPScan).

The vulnerability allows any authenticated user, including those with minimal privileges such as subscribers, to inject malicious XSS payloads into the plugin's settings. These payloads are then triggered when an administrator views the plugin's settings page, potentially leading to unauthorized actions being performed with administrator privileges (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Website administrators running the affected plugin should consider either removing the plugin or implementing additional security controls to restrict access to the plugin's settings page (WPScan).