CVE-2023-5711: 
WordPress vulnerability analysis and mitigation

The System Dashboard plugin for WordPress (CVE-2023-5711) contains a vulnerability related to unauthorized access of data, discovered and disclosed on December 6, 2023. The vulnerability affects all versions up to and including 2.8.7 of the plugin. This security issue stems from a missing capability check on the sd_php_info() function that is hooked via an AJAX action (NVD).

The vulnerability is characterized by a missing authorization check in the sd_php_info() function, which is exposed through an AJAX action. The issue has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD, Wordfence).

The vulnerability allows authenticated attackers with subscriber-level access or higher to retrieve sensitive information provided by PHP info. This information disclosure could potentially expose system configuration details and other sensitive server information (NVD).

Users should upgrade to version 2.8.8 or later of the System Dashboard plugin, which includes the security fix for this vulnerability. The patch implements proper capability checks for the sd_php_info() function (Wordfence).