CVE-2023-46149: 
WordPress vulnerability analysis and mitigation

CVE-2023-46149 is an Unrestricted Upload of File with Dangerous Type vulnerability affecting Themify Ultra WordPress theme versions through 7.3.5. The vulnerability was discovered by Rafie Muhammad and publicly disclosed on October 17, 2023. This security flaw affects the popular Themify Ultra theme, which has over 70,000 active installations (Security Online).

The vulnerability has received a CVSS v3.1 base score of 8.8 HIGH from NVD and 9.9 CRITICAL from Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The issue stems from missing file type validation during file upload operations, which allows for unrestricted upload of files with dangerous types. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability enables authenticated attackers with subscriber access or higher to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution (RCE), allowing attackers to execute malicious code on the compromised server. The high severity rating indicates the potential for significant impact on the confidentiality, integrity, and availability of the affected systems (WPScan).

Users of Themify Ultra are strongly advised to update to version 7.3.6 or later, which contains patches for this vulnerability. The update addresses the file type validation issues and implements proper security measures to prevent unauthorized file uploads (Patchstack).