CVE-2023-52127: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2023-52127 is a Cross-Site Request Forgery (CSRF) vulnerability affecting WPClever WPC Product Bundles for WooCommerce plugin versions up to and including 7.3.1. The vulnerability was discovered by Brandon Roldan and was publicly disclosed on December 28, 2023 (Patchstack).

The vulnerability exists due to missing or incorrect nonce validation on several functions in /includes/class-woosb.php. The severity of this vulnerability has been assessed with different CVSS scores: NIST rates it as HIGH with a base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack assigns it a MEDIUM severity with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (WPScan).

This vulnerability could allow unauthenticated attackers to update search settings via a forged request if they can trick a site administrator into performing specific actions, such as clicking on a malicious link. The potential impact includes forcing higher privileged users to execute unwanted actions under their current authentication (Patchstack).

The vulnerability has been fixed in version 7.3.2 of the WPC Product Bundles for WooCommerce plugin. Users are advised to update to version 7.3.2 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).