CVE-2023-48287: 
WordPress vulnerability analysis and mitigation

The CVE-2023-48287 is a Missing Authorization vulnerability affecting TextMe SMS WordPress plugin versions up to 1.9.0. The vulnerability was discovered by researcher Arvandy and publicly disclosed on November 23, 2023. The issue allows any authenticated users, including those with subscriber-level access, to update plugin settings due to improper access control configurations (WPScan, Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) where the plugin lacks proper authorization checks when updating its settings. It has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, indicating network accessibility with low attack complexity and requiring low privileges (Patchstack).

The vulnerability allows authenticated users with low-privilege roles (such as subscribers) to modify plugin settings, potentially affecting the integrity and availability of the SMS functionality. This could lead to unauthorized changes in the plugin's configuration and potential disruption of service (WPScan).

The vulnerability has been fixed in version 1.9.1 of the TextMe SMS plugin. Site administrators are advised to update to this version or later to remediate the security issue (Patchstack).