CVE-2023-4930: 
WordPress vulnerability analysis and mitigation

The Front End PM WordPress plugin before version 11.4.3 contains a sensitive data exposure vulnerability (CVE-2023-4930). The vulnerability allows unauthenticated visitors to list and download private attachments from message directories if the web server's autoindex feature is enabled. This vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on October 16, 2023 (WPScan).

The vulnerability stems from the plugin's failure to properly secure directories where attachments to private messages are stored. The issue is classified as CWE-552 (Files or Directories Accessible to External Parties). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with no privileges or user interaction required (NVD).

When exploited, this vulnerability allows unauthorized users to access and download private message attachments that should only be accessible to intended recipients. This could lead to the exposure of sensitive or confidential information stored in private message attachments (WPScan).

Users are advised to update to Front End PM version 11.4.3 or later, which patches this vulnerability. Additionally, administrators should ensure that directory listing (autoindex) is disabled on their web servers (WPScan).