CVE-2023-51421: 
WordPress vulnerability analysis and mitigation

The Verge3D WordPress plugin, developed by Soft8Soft LLC, was found to contain an Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2023-51421). The vulnerability affects versions up to and including 4.5.2 of the Verge3D Publishing and E-Commerce plugin. This security issue was discovered by Rafie Muhammad and publicly disclosed on December 27, 2023 (Patchstack, WPScan).

The vulnerability stems from missing file type validation in the 'v3d_upload_app_file' function, which could allow authenticated users with subscriber-level access or higher to upload arbitrary files to the affected site's server. The severity of this vulnerability is rated as Critical with a CVSS v3.1 base score of 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) according to Patchstack, while NIST rates it as High with a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (Patchstack).

The vulnerability could potentially lead to remote code execution on the affected server through the upload of malicious files. This could give attackers significant control over the compromised website and potentially lead to further system compromise (Patchstack).

The vulnerability has been fixed in version 4.5.3 of the Verge3D plugin. Site administrators are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).