CVE-2023-52149: 
WordPress vulnerability analysis and mitigation

The Floating Button WordPress plugin, developed by Wow-Company, contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 6.0. The vulnerability was discovered by researcher Skalucy and was publicly disclosed on December 28, 2023. The issue was assigned CVE-2023-52149 and has been patched in version 6.0.1 (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation in the process_bulk_action function. The severity of this vulnerability has been assessed with different CVSS scores: NIST rates it as HIGH with a base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack assigns it a MEDIUM severity with a score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L). The vulnerability is classified as CWE-352: Cross-Site Request Forgery (Patchstack).

The vulnerability allows unauthenticated attackers to process bulk actions through forged requests if they can trick a site administrator into performing specific actions, such as clicking on a malicious link (WPScan).

The vulnerability has been fixed in version 6.0.1 of the Floating Button plugin. Users are advised to update to this version or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).