CVE-2023-48274: 
WordPress vulnerability analysis and mitigation

The WCMultiShipping plugin for WordPress contains a Missing Authorization vulnerability (CVE-2023-48274) that affects versions up to and including 2.3.5. The vulnerability was discovered on November 21, 2023, and involves broken access control in the Mondial Relay WooCommerce plugin's log export functionality (WPScan, Patchstack).

The vulnerability stems from a missing capability check in the wmsexportlog function, which creates a broken access control scenario. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to export and view the plugin's log file, potentially exposing sensitive information stored in the logs (WPScan).

The vulnerability has been fixed in version 2.3.6 of the WCMultiShipping plugin. Users are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).