CVE-2023-48768: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Quantity Plus Minus Button for WooCommerce plugin by CodeAstrology, affecting versions through 1.1.9. The vulnerability was reported by researcher Elliot and publicly disclosed on November 28, 2023. The plugin, which is a WordPress extension, lacked proper CSRF protection mechanisms in its settings update functionality (Patchstack, WPScan).

The vulnerability is tracked as CVE-2023-48768 and has received varying CVSS scores from different sources. The National Vulnerability Database (NVD) assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack rated it at 4.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow attackers to force authenticated administrators to execute unwanted actions under their current authentication. Specifically, the lack of CSRF protection in the plugin's settings update functionality could enable malicious actors to make unauthorized changes to the plugin's configuration (Patchstack).

The vulnerability has been fixed in version 1.2.0 of the plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).