CVE-2023-45658: 
WordPress vulnerability analysis and mitigation

The WordPress Nexter theme contains a Missing Authorization vulnerability (CVE-2023-45658) affecting versions through 2.0.3. The vulnerability was discovered by Rafie Muhammad and publicly disclosed on October 12, 2023. This security issue affects the POSIMYTH Nexter theme for WordPress installations (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) due to missing capability checks on several functions including nexterextraextactiveajax, nexterextraextdeactivateajax, nexterextwpreplaceurlsettingsajax, nexterextwpduplicatepostsettingsajax, and nexterextsavedataajax. The vulnerability has received a CVSS v3.1 score of 7.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L (WPScan).

The vulnerability allows authenticated attackers with subscriber-level access and above to perform unauthorized actions such as duplicating posts, modifying settings, and other privileged operations. This represents a significant elevation of privileges for low-level users (Patchstack).

Users are advised to update to version 2.0.4 or later of the Nexter theme, which contains a fix for this vulnerability. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack).