CVE-2023-48751: 
WordPress vulnerability analysis and mitigation

A Missing Authorization and Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Participants Database WordPress plugin, developed by Roland Barker of xnau webdesign. The vulnerability affects all versions up to 2.5.5 and was first reported on November 23, 2023. The issue was officially published with identifier CVE-2023-48751 on December 18, 2023 (NVD, Patchstack).

The vulnerability is classified as a broken access control issue, stemming from missing authorization, authentication, or nonce token checks in certain functions. This allows unprivileged users to execute higher privileged actions. The vulnerability has received varying CVSS severity ratings: NIST assigned a High severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rated it as Medium severity with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) (NVD).

The vulnerability could allow an unprivileged user with subscriber-level access to perform actions typically restricted to users with higher privileges. This broken access control issue could potentially compromise the security of the WordPress installation running the affected plugin (Patchstack).

Users are advised to update to version 2.5.6 or later to resolve the vulnerability. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack).