CVE-2023-3957: 
WordPress vulnerability analysis and mitigation

The ACF Photo Gallery Field plugin for WordPress (versions up to 1.9) contains a vulnerability (CVE-2023-3957) related to unauthorized modification of data. The vulnerability was discovered and publicly disclosed on July 26, 2023. The issue affects the 'apgprofileupdate' function, which lacks sufficient restrictions on user meta updates (NVD).

The vulnerability is classified as an Incorrect Authorization (CWE-863) issue with a CVSS v3.1 base score of 4.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges. The security flaw exists in the insufficient restriction mechanism of the 'apgprofileupdate' function (Wordfence).

The vulnerability allows authenticated attackers with subscriber-level permissions or above to update user metas arbitrarily. While the impact is somewhat limited as the meta value can only be a string, it still represents a security risk through unauthorized data modification (WPScan).

The vulnerability has been patched in version 2.0 of the ACF Photo Gallery Field plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).