CVE-2023-49856: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in RedNao Smart Forms WordPress plugin (CVE-2023-49856), affecting versions up to 2.6.84. The vulnerability was discovered by Abdi Pranata and publicly disclosed on December 7, 2023. The issue resides in the plugin's AJAX action implementation, specifically in the smartformssavesettings() function ([Patchstack](https://patchstack.com/database/wordpress/plugin/smart-forms/vulnerability/wordpress-smart-forms-plugin-2-6-84-authenticated-arbitrary-options-change-vulnerability?s_id=cve), WPScan).

The vulnerability stems from improper authorization controls in the AJAX action hooked to smartformssavesettings(). The plugin fails to verify that the options being updated belong to the plugin itself, resulting in a broken access control issue. The vulnerability has been assigned a CVSS v3.1 score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating a serious security risk ([Patchstack](https://patchstack.com/database/wordpress/plugin/smart-forms/vulnerability/wordpress-smart-forms-plugin-2-6-84-authenticated-arbitrary-options-change-vulnerability?s_id=cve)).

The vulnerability allows any authenticated user, including those with subscriber-level privileges, to update arbitrary WordPress options. This includes critical system settings such as defaultrole and userscan_register, potentially leading to significant security implications for affected WordPress installations (WPScan).

The vulnerability has been fixed in version 2.6.85 of the Smart Forms plugin. Site administrators are strongly advised to update to this version or later to resolve the security issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).