CVE-2023-5054: 
WordPress vulnerability analysis and mitigation

The Super Store Finder WordPress plugin contains an unauthenticated arbitrary email creation and relay vulnerability (CVE-2023-5054) affecting versions up to and including 6.9.3. The vulnerability was discovered in September 2023 and is due to insufficient restrictions on the sendMail.php file that allows direct access (NVD).

The vulnerability stems from insufficient restrictions on the sendMail.php file, which allows direct access to email functionality. This security flaw enables unauthenticated attackers to send emails utilizing the vulnerable site's server with arbitrary content. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) by NIST and 5.8 (Medium) by Wordfence, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

When exploited, this vulnerability allows unauthenticated attackers to send emails with arbitrary content through the vulnerable website's server. This could potentially be used for spam campaigns or phishing attacks, as the emails would appear to come from the compromised website's domain (NVD).

The vulnerability was patched in version 6.9.4 of the Super Store Finder WordPress plugin. The fix removed direct email sending and added email query validation before sending store's email. Users are advised to update to version 6.9.4 or later to mitigate this vulnerability (Super Store Finder).