CVE-2023-52200: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) and Deserialization of Untrusted Data vulnerability was discovered in Repute Infosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup. The vulnerability affects versions up to and including 4.0.22 of the WordPress plugin. The issue was initially reported on November 30, 2023, and was publicly disclosed on January 3, 2024 (Patchstack).

The vulnerability received a CVSS v3.1 base score of 9.8 (Critical) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a score of 9.6 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) and CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. The combination of CSRF and deserialization of untrusted data could potentially lead to severe security implications, including unauthorized access and system compromise (Patchstack).

The vulnerability has been patched in version 4.0.23 of the ARMember plugin. Users are advised to update to version 4.0.23 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).