CVE-2023-44472: 
WordPress vulnerability analysis and mitigation

The Unyson WordPress plugin, versions up to and including 2.7.28, contains a Missing Authorization vulnerability identified as CVE-2023-44472. The vulnerability was discovered by Abdi Pranata and publicly disclosed on September 29, 2023. This security issue affects the plugin's functionality related to access control and data modification (Patchstack, WPScan).

The vulnerability is classified as a Broken Access Control issue (OWASP Top 10 A5) with a CVSS score of 4.3 (medium). The security flaw stems from missing capability checks on several functions, which allows unauthorized access and modification of data. The vulnerability is tracked under CWE-862, indicating a missing authorization component (WPScan, Patchstack).

The vulnerability enables authenticated attackers with subscriber-level access or higher to perform unauthorized actions within the plugin's functionality, including the ability to dismiss notices. While the severity is rated as medium, it represents a significant access control breach that could lead to unauthorized data modifications (WPScan).

While no official fix is available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. The security issue is considered to have a low severity impact and is unlikely to be exploited. Website administrators are advised to implement the virtual patch until an official fix becomes available (Patchstack).