CVE-2023-52119: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Icegram Engage WordPress plugin (versions up to and including 3.1.18). The vulnerability was identified in the save_campaign_preview() function due to missing or incorrect nonce validation (WPScan, Patchstack).

The vulnerability is tracked as CVE-2023-52119 and has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. However, Patchstack assessed it with a lower CVSS score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to save campaign previews via forged requests if they can trick a site administrator into performing specific actions, such as clicking on a malicious link (WPScan).

The vulnerability has been fixed in version 3.1.19 of the Icegram Engage WordPress plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).

The vulnerability was initially discovered and reported by security researcher Brandon James Roldan (tomorrowisnew) on October 31, 2023, and was publicly disclosed on December 28, 2023 (WPScan).