CVE-2023-46636: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the David Stöckl Custom Header Images WordPress plugin, affecting all versions up to and including 1.2.1. The vulnerability was initially reported on June 20, 2023, and was publicly disclosed on October 25, 2023 (Patchstack).

The vulnerability stems from missing or incorrect nonce validation on an unspecified function. The severity assessment varies among different sources, with NIST NVD assigning a CVSS v3.1 Base Score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack rates it at 5.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD, Patchstack).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into clicking malicious links. The specific impact of these actions is not fully documented, but the vulnerability could potentially lead to unauthorized changes in the system (WPScan).

As of the latest reports, there is no official fix available for this vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).