CVE-2023-51545: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-51545) affects ThemeHigh's Job Manager & Career WordPress plugin versions up to and including 1.4.4. The vulnerability was discovered by Rafie Muhammad and publicly disclosed on December 27, 2023. It combines Cross-Site Request Forgery (CSRF) and Deserialization of Untrusted Data vulnerabilities in the plugin's functionality (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation in the save_plugin_settings() function. The CVSS score ranges from 8.8 (HIGH) to 9.6 (CRITICAL), with different assessments from various sources. According to the NVD, the base vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack rates it as CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) and CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to update the plugin's settings and perform deserialization that can potentially be leveraged for Remote Code Execution (RCE). This is possible if attackers can trick a site administrator into performing specific actions, such as clicking on a malicious link (WPScan).

The vulnerability has been patched in version 1.4.5 of the Job Manager & Career plugin. Users are advised to update to this version or later to remove the vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).