CVE-2023-47507: 
WordPress vulnerability analysis and mitigation

The Master Slider Pro WordPress plugin contains a Deserialization of Untrusted Data vulnerability (CVE-2023-47507) affecting versions up to and including 3.6.5. This vulnerability was discovered and reported by Rafie Muhammad, and was publicly disclosed on November 7, 2023 (Patchstack).

The vulnerability is classified as a PHP Object Injection vulnerability resulting from deserialization of untrusted data. It has received a CVSS v3.1 base score of 9.8 CRITICAL according to NVD (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Patchstack rates it at 7.1 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). The vulnerability is tracked under CWE-502 (Deserialization of Untrusted Data) (NVD).

The vulnerability could allow unauthenticated attackers to inject PHP objects. While no POP chain is present in the vulnerable plugin itself, if a POP chain exists via additional plugins or themes on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code (WPScan).

Currently, there is no official fix available from the vendor. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement mitigation measures immediately (Patchstack).