CVE-2023-47757: 
WordPress vulnerability analysis and mitigation

The AWeber – Free Sign Up Form and Landing Page Builder Plugin for WordPress contains a Missing Authorization and Cross-Site Request Forgery (CSRF) vulnerability affecting versions through 7.3.9. The vulnerability allows unauthorized access and modification of data due to missing capability checks on several functions hooked by AJAX actions (WPScan, Patchstack).

The vulnerability is classified with CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization). It received a CVSS v3.1 base score of 8.8 (HIGH) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack assigned a CVSS score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability makes it possible for subscribers and users with higher privileges to create and publish pages and modify landing pages without proper authorization. This represents a significant breach in access control mechanisms (WPScan).

The vulnerability has been fixed in version 7.3.10 of the AWeber plugin. Users are advised to update to this version or later to resolve the security issue (WPScan).