CVE-2023-46641: 
WordPress vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the WordPress 12 Step Meeting List plugin, identified as CVE-2023-46641. The vulnerability affects all versions up to and including 3.14.24 of the plugin developed by Code for Recovery. The issue was initially reported on October 25, 2023, and publicly disclosed on November 27, 2023 (Patchstack).

The vulnerability exists in the tsml_add_data_source parameter of the plugin, allowing authenticated users with contributor-level access or higher to make web requests to arbitrary locations originating from the web application. The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) from NIST and 4.9 (Medium) from Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) (WPScan).

The vulnerability could allow malicious actors to execute website requests to arbitrary domains, potentially enabling them to query and modify information from internal services. This could lead to the discovery of sensitive information running on the system (Patchstack).

The vulnerability has been fixed in version 3.14.25 of the 12 Step Meeting List plugin. Users are advised to update to version 3.14.25 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).