CVE-2023-5201: 
WordPress vulnerability analysis and mitigation

The OpenHook WordPress plugin contains a Remote Code Execution (RCE) vulnerability (CVE-2023-5201) affecting versions up to and including 4.3.0. The vulnerability was discovered and publicly disclosed on September 29, 2023. The issue allows authenticated attackers with subscriber-level permissions or higher to execute arbitrary code on the server through the 'php' shortcode feature when enabled (NVD, WPScan).

The vulnerability stems from the plugin's failure to properly restrict access to its 'php' shortcode functionality, which allows low-privileged users to execute PHP code on the server. The severity of this vulnerability is rated as Critical with a CVSS score of 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The vulnerability is classified as CWE-94 and falls under the OWASP Top 10 category A1: Injection (WPScan).

If exploited, this vulnerability allows authenticated attackers with subscriber-level access or higher to execute arbitrary PHP code on the affected server. This could lead to complete system compromise, including unauthorized access to sensitive data, modification of website content, and potential lateral movement within the hosting environment (NVD).

The vulnerability has been patched in version 4.3.1 of the OpenHook plugin. Site administrators are strongly advised to update to this version immediately. If immediate updating is not possible, it is recommended to disable the [php] shortcode feature or restrict user roles that can create and edit content (WPScan).