CVE-2023-51539: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Apollo13Themes Apollo13 Framework Extensions WordPress plugin, affecting versions up to and including 1.9.1. The vulnerability was disclosed on December 27, 2023, and was assigned CVE-2023-51539. The issue stems from missing or incorrect nonce validation on specific plugin functions: a13fe_nava_add_post and a13fe_nava_delete_post (WPScan).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and has received varying CVSS scores from different sources. The National Vulnerability Database (NVD) assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack rated it at 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to add and delete posts through forged requests if they can successfully trick a site administrator into performing specific actions, such as clicking on a malicious link (WPScan).

The vulnerability has been fixed in version 1.9.2 of the Apollo13 Framework Extensions plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).