CVE-2023-4600: 
WordPress vulnerability analysis and mitigation

The AffiliateWP WordPress plugin was found to contain a vulnerability (CVE-2023-4600) in versions up to and including 2.14.0. The vulnerability stems from a missing capability check on the 'affwpactivateaddonspageplugin' function called via an AJAX action, which could allow authenticated attackers with subscriber-level access or higher to activate arbitrary plugins (NVD).

The vulnerability is characterized by a missing capability check in the plugin's functionality that handles addon activation. This security flaw has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating a network-accessible vulnerability with low attack complexity requiring low privileges (Wordfence).

The vulnerability allows authenticated users with subscriber-level access or higher to activate arbitrary plugins on the affected WordPress installation. This could potentially lead to unauthorized changes in the website's functionality and security posture (NVD).

The vulnerability has been patched in versions after 2.14.0. Site administrators are strongly advised to update their AffiliateWP plugin to the latest version to protect against this security issue (AffiliateWP Changelog).