CVE-2023-36690: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability affects VibeThemes WPLMS theme versions 4.900 and earlier. The vulnerability was discovered by Dave Jong and was publicly disclosed on July 5, 2023. The issue has been assigned CVE-2023-36690 and affects the WordPress Learning Management System theme (Patchstack).

The vulnerability stems from inadequate request verification where the plugin does not properly implement nonce checks, making it susceptible to Cross-Site Request Forgery attacks. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (WPScan).

This vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The attack requires user interaction but can potentially lead to high impacts on both integrity and availability of the system (Patchstack).

The vulnerability has been fixed in WPLMS theme version 4.900. Users are strongly advised to update to this version or later to remove the vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to a fixed version (Patchstack).