CVE-2023-50372: 
WordPress vulnerability analysis and mitigation

The Custom Post Type Page Template WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2023-50372. The vulnerability was discovered in versions up to and including 1.1, with the initial disclosure made on December 7, 2023. The security issue was first reported by researcher Nguyen Xuan Chien on September 19, 2023 (Patchstack).

The vulnerability stems from missing or incorrect nonce validation on an undisclosed function within the plugin. The severity of this vulnerability has been assessed with varying CVSS scores: NIST assigned a high severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rated it as medium severity with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD, WPScan).

The vulnerability could allow unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing specific actions, such as clicking on malicious links. The impact is particularly concerning as it could lead to unauthorized actions being executed under the privileges of the authenticated administrator (WPScan).

Currently, there is no official fix available for this vulnerability. The issue affects all versions up to and including version 1.1 of the Custom Post Type Page Template plugin (Patchstack).