CVE-2023-44150: 
WordPress vulnerability analysis and mitigation

The ProfilePress WordPress plugin (formerly WP User Avatar) was found to contain a sensitive information exposure vulnerability (CVE-2023-44150) affecting versions up to 4.13.2. The vulnerability was discovered and reported by Joshua Chan, and a fix was released in version 4.13.3 (Patchstack).

The vulnerability stems from unprotected access to debug logs in the ProfilePress plugin. The issue is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows unauthenticated attackers to retrieve debug logs which may contain sensitive information including system errors. This exposure could potentially reveal critical system information that could be leveraged for further attacks (WPScan).

Users are strongly advised to update their ProfilePress plugin to version 4.13.3 or later to resolve this vulnerability. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).