CVE-2023-4248: 
WordPress vulnerability analysis and mitigation

The GiveWP plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability tracked as CVE-2023-4248, affecting versions up to and including 2.33.3. The vulnerability was discovered and reported by Wordfence, with initial disclosure on January 11, 2024 (NVD CVE).

The vulnerability stems from missing or incorrect nonce validation in the give_stripe_disconnect_connect_stripe_account function. This security flaw has received a CVSS v3.1 base score of 4.3 (MEDIUM) from NVD with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, while Wordfence assessed it with a slightly higher score of 5.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L (NVD CVE).

If exploited, this vulnerability allows unauthenticated attackers to deactivate the plugin's Stripe integration settings through a forged request, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (NVD CVE).

The vulnerability has been patched, as evidenced by changes in the WordPress plugin repository. Users should upgrade to a version newer than 2.33.3 to protect against this vulnerability (WordPress Plugin).