CVE-2023-46201: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Jeff Sherk's Auto Login New User After Registration WordPress plugin, affecting versions up to 1.9.6. The vulnerability was initially reported on April 26, 2023, and publicly disclosed on October 19, 2023. The security issue allows for Stored Cross-Site Scripting (XSS) attacks through CSRF (Patchstack).

The vulnerability stems from the plugin's lack of CSRF protection when updating its settings, combined with insufficient sanitization and escaping of input. This security flaw has received a CVSS v3.1 base score of 7.1 (High) from Patchstack and 6.1 (Medium) from NIST, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (WPScan, Patchstack).

The vulnerability could allow attackers to force logged-in administrators to add Stored XSS payloads through a CSRF attack. This creates a potential for unauthorized actions to be executed under the administrator's authentication context (WPScan).

As of the latest reports, there is no official fix available for this vulnerability. The issue affects versions up to and including 1.9.6 of the Auto Login New User After Registration plugin (Patchstack).