CVE-2023-47649: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WordPress plugin Best Restaurant Menu by PriceListo, affecting versions up to 1.3.1. The vulnerability was reported on November 7, 2023, and was assigned CVE-2023-47649. The issue was discovered by security researcher Skalucy (Patchstack).

The vulnerability stems from the plugin's lack of CSRF protection mechanisms when updating its settings. The severity of this vulnerability has been assessed with different CVSS scores: NIST assigned a high severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rated it as medium severity with a score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow malicious actors to force privileged users to execute unwanted actions under their current authentication. This could potentially lead to unauthorized changes in the plugin's settings when an authenticated administrator visits a maliciously crafted webpage (WPScan).

The vulnerability has been fixed in version 1.4.0 of the Best Restaurant Menu by PriceListo plugin. Users are advised to update to version 1.4.0 or later to remove the vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).