CVE-2023-40005: 
WordPress vulnerability analysis and mitigation

A broken access control vulnerability was discovered in the WordPress Easy Digital Downloads plugin versions 3.1.5 and below, identified as CVE-2023-40005. The vulnerability was reported by security researcher Nguyen Anh Tien on August 14, 2023, and was publicly disclosed on December 26, 2023. This security issue affects the Easy Digital Downloads WordPress plugin, which is a popular eCommerce solution (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS score of 5.3 (Medium severity). The security flaw stems from missing authorization, authentication, or nonce token checks in certain functions, potentially allowing unprivileged users to execute higher privileged actions. This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control (Patchstack).

The vulnerability is considered moderately dangerous and is expected to become exploited. It could potentially allow unauthorized users to perform actions that should be restricted to users with higher privileges, compromising the security of websites using the affected plugin versions (Patchstack).

The vulnerability has been fixed in version 3.2.0 of the Easy Digital Downloads plugin. Website administrators are advised to update to version 3.2.0 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).