CVE-2023-45603: 
WordPress vulnerability analysis and mitigation

CVE-2023-45603 affects the User Submitted Posts WordPress plugin versions up to and including 20230902. The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type, allowing unauthenticated users to upload arbitrary files to the affected site's server. The issue was discovered on September 14, 2023, and was patched in version 20230914 (Patchstack Advisory).

The vulnerability exists in the usp_attach_images function where there is insufficient file type validation. The function only checks if the file extension contains 'php' but fails to properly validate other dangerous file types. The vulnerability can be triggered when the Image Uploads field is enabled in the Form Fields setting of the plugin. The CVSS v3.1 base score is 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

This vulnerability allows unauthenticated attackers to upload arbitrary files to the server, as long as the extension does not contain 'php'. This could potentially lead to remote code execution by uploading files with alternative executable extensions such as phtml. The vulnerability is considered highly dangerous and expected to become mass exploited (Patchstack Database).

The vulnerability was patched in version 20230914 by implementing a whitelist check for allowed file extensions before uploading files to the server. Users are strongly advised to update to version 20230914 or later to resolve this security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack Database).