CVE-2023-47840: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-47840) affects Qode Interactive's Qode Essential Addons WordPress plugin versions up to and including 1.5.2. The vulnerability was discovered by Brandon James Roldan and was publicly disclosed on November 27, 2023. It is classified as an Improper Control of Generation of Code (Code Injection) vulnerability that allows for arbitrary plugin installation and activation (Patchstack, WPScan).

The vulnerability stems from a missing capability check on the install_plugin() function, which allows authenticated users with subscriber-level access or higher to perform unauthorized modifications. The severity of this vulnerability is rated as Critical with a CVSS v3.1 base score of 9.9 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) according to Patchstack, while NVD rates it as High with a score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is categorized under CWE-94 (Improper Control of Generation of Code) (NVD, Patchstack).

The vulnerability could potentially lead to Remote Code Execution (RCE), allowing malicious actors to execute commands on the target website. This could result in backdoor access and full control of the affected website. The high CVSS score indicates that this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

The vulnerability has been fixed in version 1.5.3 of the Qode Essential Addons plugin. Website administrators are strongly advised to update to this version or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).