CVE-2023-47871: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in IT Path Solutions' Contact Form to Any API WordPress plugin, tracked as CVE-2023-47871. The vulnerability affects versions through 1.1.6 and involves incorrectly configured access control security levels. The issue was discovered by researcher Arvandy on October 8, 2023, and was publicly disclosed on November 20, 2023 (Patchstack).

The vulnerability is classified as a Broken Access Control issue, which stems from missing authorization, authentication, or nonce token checks in certain functions. This allows unprivileged users to execute higher privileged actions. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (Patchstack).

The vulnerability is considered moderately dangerous and is expected to become exploited. It requires subscriber-level privileges to exploit, potentially allowing unauthorized users to perform actions beyond their intended permission level (Patchstack).

The vulnerability has been fixed in version 1.1.7 of the Contact Form to Any API plugin. Users are advised to update to this version or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).