CVE-2023-5882: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-5882) affects the Export any WordPress data to XML/CSV WordPress plugin (versions before 1.4.0) and WP All Export Pro WordPress plugin (versions before 1.8.6). The vulnerability was discovered and publicly disclosed on November 21, 2023, by researchers Francesco Marano and Donato Di Pasquale from Unlock Security (WPScan).

The vulnerability stems from improper nonce token validation in the request lifecycle. The affected plugins fail to check nonce tokens early enough, which creates a security weakness. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. It is classified as CWE-352 (Cross-Site Request Forgery) and has also received a CVSS score of 9.6 (critical) from other sources (NVD, WPScan).

The vulnerability allows attackers to make logged-in users perform unwanted actions that can lead to remote code execution. When successfully exploited, an attacker can execute arbitrary PHP code on the affected system through the plugin's functionality (WPScan).

The vulnerability has been patched in version 1.4.1 of the free WP All Export plugin and version 1.8.6 of WP All Export Pro. Users are advised to update to these latest versions to mitigate the security risk (WPScan).