CVE-2023-51517: 
WordPress vulnerability analysis and mitigation

The CVE-2023-51517 is an Open Redirect vulnerability discovered in CodePeople's Calculated Fields Form WordPress plugin affecting versions up to 1.2.28. The vulnerability was reported by Ngô Thiên An (ancorn_ from VNPT-VCI) on September 28, 2023, and was publicly disclosed on December 27, 2023 (Patchstack).

The vulnerability is classified as a URL Redirection to Untrusted Site ('Open Redirect') vulnerability (CWE-601). It received a CVSS v3.1 base score of 5.4 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned a score of 4.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N. The issue stems from the plugin's failure to validate a shortcode attribute (WPScan).

The vulnerability could allow malicious actors to redirect users from legitimate sites to malicious ones, potentially leading to phishing incidents. Users with Contributor-level privileges and above can exploit this vulnerability to perform Open Redirect attacks (Patchstack).

The vulnerability has been fixed in version 1.2.29 of the Calculated Fields Form plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).