CVE-2023-49849: 
WordPress vulnerability analysis and mitigation

The Shortcoder WordPress plugin versions up to 6.3 contains a Missing Authorization vulnerability (CVE-2023-49849). The vulnerability was discovered by Abdi Pranata and publicly disclosed on December 6, 2023. This security issue affects the plugin developed by Aakash Chakravarthy and was subsequently fixed in version 6.3.1 (Patchstack, WPScan).

The vulnerability is classified as a Broken Access Control issue (CWE-862) where the plugin lacks proper authorization in an AJAX action. This allows any authenticated users, including those with subscriber-level access, to make unauthorized AJAX calls. The vulnerability has received a CVSS v3.1 base score of 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Patchstack, NVD).

The vulnerability allows authenticated users with low-privilege roles (such as subscribers) to perform actions that should be restricted to users with higher privileges. This broken access control could lead to unauthorized actions being executed within the WordPress installation (Patchstack).

Website administrators are advised to update the Shortcoder plugin to version 6.3.1 or later, which contains the fix for this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).