CVE-2023-46615: 
WordPress vulnerability analysis and mitigation

The KD Coming Soon WordPress plugin contains a Deserialization of Untrusted Data vulnerability, identified as CVE-2023-46615. The vulnerability affects all versions of KD Coming Soon up to and including version 1.7. This security issue was discovered by researcher Mika and was publicly disclosed on October 24, 2023 (WPScan, Patchstack).

The vulnerability is classified as a PHP Object Injection vulnerability that occurs in the kd_cemailer function through the deserialization of untrusted input parameter 'cetitle'. The severity of this vulnerability has received different CVSS scores from various sources: NIST rates it as Critical with a CVSS 3.1 Base Score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Patchstack assigns it a Medium severity with a CVSS score of 5.4 (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N). The vulnerability is categorized under CWE-502 (Deserialization of Untrusted Data) (NVD).

While no POP chain is present in the vulnerable plugin itself, if a POP chain exists via additional plugins or themes installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code. The vulnerability is particularly concerning as it requires no authentication to exploit (WPScan).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider removing the plugin if it's not essential (Patchstack).