CVE-2023-40204: 
WordPress vulnerability analysis and mitigation

The CVE-2023-40204 is an Unrestricted Upload of File with Dangerous Type vulnerability affecting the Premio Folders WordPress plugin (Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager) through version 2.9.2. The vulnerability was discovered by Rafie Muhammad and was publicly disclosed on August 28, 2023 (Wordfence Intel, Patchstack).

The vulnerability exists in the handle_folders_file_upload function due to missing file type validation. It received a CVSS v3.1 base score of 9.1 (Critical) from Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, while NIST assigned a score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability allows authenticated attackers with author-level permissions or above to upload arbitrary files to the affected site's server. This could potentially lead to remote code execution on the affected WordPress installations (WPScan).

Users are advised to update to version 2.9.3 or later of the Folders plugin to resolve this vulnerability. Patchstack has also issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).