CVE-2023-49164: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the OceanWP Ocean Extra WordPress plugin, affecting versions through 2.2.2. The vulnerability was disclosed on November 29, 2023, and was assigned CVE-2023-49164. The issue was fixed in version 2.2.3 (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation in the ajax_required_plugins_activate() function. The severity of this vulnerability has been assessed with different CVSS scores: NIST assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack rated it at 5.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

This vulnerability allows unauthenticated attackers to activate arbitrary plugins on the affected WordPress installation, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (WPScan).

Users are advised to update the Ocean Extra plugin to version 2.2.3 or later to remediate this vulnerability. This security issue has been classified as having a low severity impact, but updating is recommended to ensure system security (Patchstack).