CVE-2023-4536: 
WordPress vulnerability analysis and mitigation

CVE-2023-4536 affects the My Account Page Editor WordPress plugin versions before 1.3.2. The vulnerability was discovered and disclosed on January 16, 2024, and impacts WordPress installations using this plugin. The vulnerability stems from insufficient validation of profile picture uploads in the plugin (WPScan).

The vulnerability is classified with CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical issue lies in the plugin's failure to properly validate profile picture uploads, which allows authenticated users with subscriber-level access to upload arbitrary files to the server (NVD).

The vulnerability can lead to Remote Code Execution (RCE) on affected WordPress installations. This means attackers with even low-privilege authenticated access could potentially execute malicious code on the server, compromising the entire WordPress installation (WPScan).

Users should immediately update the My Account Page Editor plugin to version 1.3.2 or later to address this vulnerability. If immediate updating is not possible, administrators should consider disabling the "Upload Profile Picture" feature or restricting user registration until the update can be applied (NVD).