CVE-2023-49163: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Michael Winkler's teachPress WordPress plugin, affecting all versions up to and including 9.0.5. The vulnerability was disclosed on November 28, 2023, and was assigned the identifier CVE-2023-49163. The issue specifically affects the delete_database() function in the plugin (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation in the delete_database() function. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST assigned a HIGH severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rated it as MEDIUM with a score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to clear the database through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link. This could potentially lead to data loss or unauthorized database modifications (WPScan).

The vulnerability has been fixed in teachPress version 9.0.6. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).