CVE-2023-49167: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2023-49167 affects the Database for CF7 WordPress plugin versions through 1.2.4. It is classified as a Missing Authorization vulnerability that allows exploiting incorrectly configured access control security levels. The vulnerability was discovered by researcher RE-ALTER and was publicly disclosed on November 29, 2023 (Patchstack).

The vulnerability is categorized as CWE-862 (Missing Authorization) and has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue specifically relates to broken access control, where there is a missing authorization, authentication, or nonce token check in a function that could allow an unprivileged user to execute higher privileged actions (Patchstack).

The vulnerability is considered moderately dangerous and is expected to become exploited. It allows unprivileged users to perform actions that should be restricted to users with higher privileges. The vulnerability specifically affects the availability of the system, as indicated by the CVSS metrics showing high impact on availability (Patchstack).

The vulnerability has been fixed in version 1.2.5 of the Database for CF7 plugin. Users are advised to update to version 1.2.5 or later to remove the vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).