CVE-2023-51668: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in WP Zone's Inline Image Upload for BBPress WordPress plugin, affecting versions up to and including 1.1.18. The vulnerability was discovered by Nguyen Xuan Chien and publicly disclosed on December 27, 2023 (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation in the hm_bbpui_admin_page function. The severity of this vulnerability has been assessed with different CVSS scores: NIST rates it as HIGH with a base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack assigns it a MEDIUM severity with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

This vulnerability could allow unauthenticated attackers to trigger a cleanup operation by tricking site administrators into performing specific actions, such as clicking on a malicious link (WPScan).

The vulnerability has been fixed in version 1.1.19 of the Inline Image Upload for BBPress plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).