CVE-2023-44142: 
WordPress vulnerability analysis and mitigation

The Inactive Logout WordPress plugin, versions up to and including 3.2.2, contains a Missing Authorization vulnerability identified as CVE-2023-44142. The vulnerability was discovered by researcher Elliot and publicly disclosed on September 20, 2023. This security issue affects the plugin's authorization mechanisms, potentially allowing unauthorized access to certain plugin functionalities (WPScan, Patchstack).

The vulnerability stems from a missing capability check in the inaresetadvsettings() function. It has been assigned a CVSS v3.1 score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. The issue is classified under CWE-862 (Missing Authorization) and falls into the OWASP Top 10 category A5: Broken Access Control (WPScan, [Patchstack](https://patchstack.com/database/wordpress/plugin/inactive-logout/vulnerability/wordpress-inactive-logout-plugin-3-2-2-broken-access-control-vulnerability?s_id=cve)).

The vulnerability allows authenticated attackers with subscriber-level access or higher to reset the plugin's settings without proper authorization. This could lead to unauthorized modification of data and potential disruption of the plugin's functionality (WPScan).

The vulnerability has been fixed in version 3.2.3 of the Inactive Logout plugin. Users are advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).