CVE-2023-51417: 
WordPress vulnerability analysis and mitigation

CVE-2023-51417 is an Unrestricted Upload of File with Dangerous Type vulnerability affecting the JVM Gutenberg Rich Text Icons WordPress plugin versions up to and including 1.2.3. The vulnerability was discovered and reported by Rafie Muhammad, and was publicly disclosed on December 27, 2023 (Patchstack).

The vulnerability exists in the 'ajax_upload_icon' function of the plugin due to missing file type validation. The issue has received a CVSS v3.1 base score of 8.8 (HIGH) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned it a CVSS score of 9.9 (CRITICAL) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to upload arbitrary files to the affected site's server. This could potentially lead to remote code execution, significantly compromising the security of the affected WordPress installation (WPScan).

The vulnerability has been fixed in version 1.2.4 of the JVM Gutenberg Rich Text Icons plugin. Site administrators are strongly advised to update to this version or later to resolve the security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to a fixed version (Patchstack).