CVE-2023-5235: 
WordPress vulnerability analysis and mitigation

The Ovic Responsive WPBakery WordPress plugin before version 1.2.9 contains a critical security vulnerability identified as CVE-2023-5235. The vulnerability was discovered and reported by Gibran Abdillah, and it affects the plugin's AJAX actions functionality. The issue was publicly disclosed on November 7, 2023, and has been assigned a high severity CVSS score of 8.8 (WPScan).

The vulnerability stems from the plugin's failure to properly limit which options can be updated through its AJAX actions. Additionally, the plugin unserializes user input during processing, which could lead to Object Injection attacks. The vulnerability has been classified under CWE-269 and falls under the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan).

The vulnerability allows attackers with subscriber-level access or higher to update critical blog options, including 'users_can_register' and 'default_role'. This can be exploited to create new accounts that are automatically assigned administrator privileges, effectively enabling privilege escalation. Furthermore, the unserialized user input processing could potentially lead to Object Injection attacks (WPScan).

The vulnerability has been patched in version 1.2.9 of the Ovic Responsive WPBakery WordPress plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).