CVE-2023-47621: 
PHP vulnerability analysis and mitigation

Guest Entries, a PHP library that enables users to create, update & delete entries from the front-end of a site, was found to contain a vulnerability in versions prior to v3.1.2. The vulnerability was discovered on November 13, 2023, and was assigned CVE-2023-47621. The vulnerability affected the file uploads feature which did not prevent the upload of PHP files (NVD, GitHub Advisory).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue stems from the file uploads feature not implementing proper file type restrictions, specifically allowing the upload of PHP files and related extensions (.php, .php3, .php4, .php5, .phtml). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

This vulnerability could lead to code execution on the server by authenticated users who have access to the file upload functionality. The high CVSS score reflects the potential for significant impact on system confidentiality, integrity, and availability if exploited (GitHub Advisory).

The vulnerability has been fixed in version 3.1.2 of the Guest Entries package. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability other than upgrading to the patched version (GitHub Advisory).