CVE-2023-48323: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Awesome Support – WordPress HelpDesk & Support Plugin, affecting versions up to and including 6.1.4. The vulnerability was reported on November 23, 2023, by security researcher thiennv (Wordfence, Patchstack).

The vulnerability stems from missing or incorrect nonce validation in the wpas_edit_reply_ajax() function. The severity of this vulnerability has been assessed with different CVSS scores: NIST rates it as HIGH with a base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack assigns it a MEDIUM severity with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to edit replies in the support system by tricking site administrators into performing specific actions, such as clicking on malicious links (WPScan).

The vulnerability has been fixed in version 6.1.5 of the Awesome Support plugin. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended (Patchstack).