CVE-2023-51490: 
WordPress vulnerability analysis and mitigation

The WPMU DEV Defender Security – Malware Scanner, Login Security & Firewall plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2023-51490) affecting all versions up to and including 4.1.0. The vulnerability was discovered and reported by Joshua Chan and publicly disclosed on December 27, 2023 (Patchstack).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File) with a CVSS v3.1 base score of 7.5 HIGH (NIST) and 5.3 MEDIUM (Patchstack). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it is network accessible, requires low attack complexity, and needs no privileges or user interaction to exploit (NVD).

This vulnerability allows unauthenticated attackers to extract sensitive data including system and plugin information through the plugin's log file. The exposure of sensitive information could potentially be used by malicious actors to exploit other weaknesses in the system (WPScan).

The vulnerability has been fixed in version 4.2.0 of the Defender Security plugin. Users are advised to update to version 4.2.0 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).