CVE-2023-37973: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability affects David Pokorny Replace Word WordPress plugin versions 2.1 and below. The vulnerability was discovered by Yuki Haruma and was publicly disclosed on July 12, 2023. The vulnerability received the identifier CVE-2023-37973 and affects all installations of the Replace Word plugin up to and including version 2.1 (Patchstack).

The vulnerability stems from inadequate request verification using nonces in the plugin. It has received a CVSS v3.1 base score of 5.4 (Medium) from Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L, while the NVD assessment indicates a higher severity score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (WPScan).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. This CSRF vulnerability potentially enables attackers to perform unauthorized actions on behalf of authenticated users who visit specially crafted malicious web pages (Patchstack).

Currently, there is no official fix available for this vulnerability. Given the low severity impact assessment from Patchstack, they indicate that virtual patching is unnecessary (Patchstack).