CVE-2023-48278: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Nitin Rathod's WP Forms Puzzle Captcha WordPress plugin, which could lead to Stored Cross-Site Scripting (XSS). The vulnerability affects all versions of the plugin up to and including version 4.1. This security issue was initially reported on August 15, 2023, and was publicly disclosed on November 22, 2023 (Patchstack).

The vulnerability has been assigned CVE-2023-48278 and is classified under CWE-352 (Cross-Site Request Forgery). It received a CVSS v3.1 base score of 6.1 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a higher CVSS score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The impact is considered to have low to medium severity, affecting confidentiality and integrity of the system (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators using this plugin are advised to implement the Patchstack protection or consider alternative captcha solutions (Patchstack).