CVE-2023-5737: 
WordPress vulnerability analysis and mitigation

The WordPress Backup & Migration WordPress plugin before version 1.4.4 contains a security vulnerability identified as CVE-2023-5737. This vulnerability was discovered and reported by Krzysztof Zając from CERT PL, and was publicly disclosed on November 6, 2023. The vulnerability affects the wp-migration-duplicator plugin and has been assigned a CVSS v3.1 base score of 4.3 (Medium) (WPScan, NVD).

The vulnerability stems from improper authorization checks in AJAX requests within the plugin. It is classified as CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control. The vulnerability has a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and low privileges required (WPScan).

The vulnerability allows users with a role as low as Subscriber to update certain plugin settings through unauthorized AJAX requests. This could potentially lead to unauthorized modification of plugin configurations, compromising the security and functionality of the backup and migration features (WPScan).

The vulnerability has been fixed in version 1.4.4 of the WordPress Backup & Migration plugin. Users are advised to update to this version or later to protect against potential exploitation (WPScan).