CVE-2023-49859: 
WordPress vulnerability analysis and mitigation

The Login With Ajax WordPress plugin contains a Missing Authorization vulnerability (CVE-2023-49859) discovered in versions up to and including 4.1. The vulnerability was publicly disclosed on December 7, 2023, and was initially reported by security researcher Abdi Pranata on August 19, 2023. The issue affects the plugin's access control mechanisms (Patchstack, WPScan).

The vulnerability is classified as a Missing Authorization (CWE-862) issue, where the plugin lacks proper capability checks on certain functions. It has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability specifically relates to broken access control, which could allow unauthorized actions to be performed (Patchstack).

The vulnerability allows authenticated attackers with subscriber-level access and above to perform unauthorized actions within the WordPress installation. This represents a broken access control issue that could potentially lead to privilege escalation scenarios (WPScan).

The vulnerability has been fixed in version 4.2 of the Login With Ajax plugin. Users are advised to update to this version or later to resolve the security issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).