CVE-2023-3764: 
WordPress vulnerability analysis and mitigation

The WooCommerce PDF Invoice Builder plugin for WordPress (versions up to and including 1.2.90) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2023-3764. The vulnerability stems from missing or incorrect nonce validation on the Save function, which was discovered and disclosed on August 31, 2023 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The technical root cause is attributed to improper implementation of security controls, specifically the absence of proper nonce validation in the Save function (Wordfence).

The vulnerability allows unauthenticated attackers to make unauthorized changes to invoices through forged requests. The attack can only be successful if the attacker manages to trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

Patches have been released to address this vulnerability. Users should update their WooCommerce PDF Invoice Builder plugin to a version newer than 1.2.90. The fix includes proper implementation of nonce validation for the Save function (WordPress Plugin).