CVE-2023-41649: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-41649) is a Missing Authorization vulnerability affecting the Ovic Product Bundle WordPress plugin versions up to and including 1.1.2. The vulnerability was discovered by researcher thiennv and was publicly disclosed on September 1, 2023. The issue stems from missing authorization controls in the plugin's functionality (WPScan, Patchstack).

The vulnerability is caused by a missing capability check on the remove_bundle_product() function, which is hooked via a nopriv AJAX action. The vulnerability has been assigned a CVSS 3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. It is classified under CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to remove bundled products from the system. This broken access control issue enables unprivileged users to execute higher privileged actions, potentially affecting the integrity and availability of the product bundle functionality (Patchstack).

Currently, there is no official fix available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the mitigation immediately (Patchstack).