CVE-2023-49858: 
WordPress vulnerability analysis and mitigation

The Custom Login WordPress plugin versions up to 4.1.0 contains a Missing Authorization vulnerability (CVE-2023-49858) that was discovered by Abdi Pranata and publicly disclosed on December 7, 2023. The vulnerability affects the plugin's access control mechanisms, potentially allowing authenticated users with subscriber-level privileges to perform unauthorized actions (Patchstack, WPScan).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 score of 4.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating that it requires network access and low privileges to exploit, with no user interaction needed (Patchstack).

The vulnerability allows authenticated attackers with subscriber-level access to perform unauthorized actions due to improper authorization checks in the plugin's functionality. While the specific unauthorized actions are not detailed, the impact is considered moderate based on the CVSS score (Patchstack).

The vulnerability has been fixed in version 4.1.1 of the Custom Login plugin. Site administrators are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).