CVE-2023-49830: 
WordPress vulnerability analysis and mitigation

A Remote Code Execution (RCE) vulnerability was discovered in Brainstorm Force's Astra Pro WordPress plugin, identified as CVE-2023-49830. The vulnerability affects all versions of Astra Pro up to and including version 4.3.1, and it was disclosed on December 5, 2023. The issue stems from an Improper Control of Generation of Code (Code Injection) vulnerability that could allow authenticated users with contributor-level access or higher to execute arbitrary code on the server (Patchstack, WPScan).

The vulnerability is related to the ast-advanced-hook-php-code meta field in the plugin, which could be exploited to execute arbitrary code on the server. The issue has received a CVSS v3.1 base score of 8.8 (HIGH) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned it a CVSS score of 9.9 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-94: Improper Control of Generation of Code (NVD).

The exploitation of this vulnerability could lead to complete compromise of the affected system, potentially allowing attackers to execute arbitrary code on the server. This could result in unauthorized access, data theft, website defacement, and potential use of the compromised server for further malicious activities. The vulnerability affects confidentiality, integrity, and availability of the system, all rated as High in severity (Patchstack).

The vulnerability has been patched in Astra Pro version 4.3.2. Users are strongly advised to update to this version or later to resolve the security issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).