CVE-2023-51410: 
WordPress vulnerability analysis and mitigation

The WPVibes WP Mail Log WordPress plugin versions up to 1.1.2 contains an Unrestricted Upload of File with Dangerous Type vulnerability. The vulnerability was discovered by Rafie Muhammad from Patchstack and was publicly disclosed on December 27, 2023. This security issue was assigned CVE-2023-51410 and affects all versions of the plugin through version 1.1.2 (Patchstack Advisory, NVD Database).

The vulnerability exists in the 'send_email' function of the plugin, which lacks proper file type validation. This security flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability has received varying CVSS scores, with NVD assigning a base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack rated it at 9.9 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD Database, WPScan).

The vulnerability allows authenticated attackers with contributor-level access or higher to upload arbitrary files to the affected site's server. This could potentially lead to remote code execution if exploited successfully. The ability to upload malicious files could result in complete website compromise, including the potential for backdoor installation and unauthorized access to the website (Patchstack Advisory).

Website administrators are advised to update to version 1.1.3 or later of the WP Mail Log plugin, which contains the fix for this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack Advisory).