CVE-2023-3977: 
WordPress vulnerability analysis and mitigation

CVE-2023-3977 affects multiple WordPress plugins by Inisev, discovered and disclosed in July 2023. The vulnerability is a Cross-Site Request Forgery (CSRF) issue in the handleinstallation function that is called via the inisevinstallation AJAX action. This vulnerability affects various versions of multiple plugins including backup-backup, copy-delete-posts, enhanced-text-widget, feedburner-alternative-and-rss-redirect, http-https-remover, pop-up-pop-up, redirect-redirection, ultimate-posts-widget, ultimate-social-media-icons, and ultimate-social-media-plus (Wordfence).

The vulnerability stems from a missing nonce check in the handle_installation function that processes AJAX requests. This security flaw has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability allows for unauthorized plugin installations through forged requests when an administrator can be tricked into performing specific actions (NVD).

The vulnerability allows unauthenticated attackers to trick site administrators into installing plugins from a limited list via forged requests. This could potentially lead to unauthorized plugin installations on WordPress sites, though it requires user interaction from an administrator account (Wordfence).

Updates have been released for all affected plugins with the following versions: backup-backup (1.2.8), copy-delete-posts (1.4.0), enhanced-text-widget (1.5.8), feedburner-alternative-and-rss-redirect (3.8), http-https-remover (3.2.4), pop-up-pop-up (1.2.0), redirect-redirection (1.1.4), ultimate-posts-widget (2.2.5), ultimate-social-media-icons (2.8.2), and ultimate-social-media-plus (3.5.8). Site administrators should update to these or later versions to mitigate the vulnerability (WPScan).