CVE-2023-46212: 
WordPress vulnerability analysis and mitigation

A Missing Authorization and Cross-Site Request Forgery (CSRF) vulnerability was discovered in TienCOP WP EXtra WordPress plugin affecting versions up to 6.2. The vulnerability was reported on September 21, 2023, and publicly disclosed on October 19, 2023 (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 base score of 8.8 (HIGH) according to NIST assessment (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), while Patchstack rates it at 6.3 (MEDIUM) (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The issue is tracked under CWE-862 (Missing Authorization) and CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unprivileged users to execute higher privileged actions due to missing authorization, authentication, or nonce token checks. This broken access control issue could potentially lead to unauthorized access to functionality not properly constrained by ACLs (Patchstack).

Users are advised to update to WP EXtra version 6.3 or later which contains the fix for this vulnerability. For immediate mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack).