CVE-2023-41796: 
WordPress vulnerability analysis and mitigation

The CVE-2023-41796 is an Authorization Bypass Through User-Controlled Key vulnerability affecting WP Sunshine's Sunshine Photo Cart plugin for WordPress. The vulnerability was discovered in versions before 3.0.0 and was disclosed on December 20, 2023. This security issue impacts the Sunshine Photo Cart: Free Client Galleries for Photographers WordPress plugin (NVD, Patchstack).

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has received a CVSS v3.1 base score of 6.5 (MEDIUM) from NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. Patchstack assigned a slightly lower CVSS score of 5.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to perform order manipulation through Insecure Direct Object References (IDOR). This security issue could enable malicious actors to bypass authorization, authentication, access sensitive files/folders, or interact with the database (Patchstack).

Users are advised to update to Sunshine Photo Cart version 3.0.0 or later to remediate this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to a fixed version (Patchstack).