CVE-2023-5884: 
WordPress vulnerability analysis and mitigation

The Word Balloon WordPress plugin before version 4.20.3 contains a Cross-Site Request Forgery (CSRF) vulnerability. This security flaw was discovered and reported by Krzysztof Zając from cert.pl, and was publicly disclosed on November 13, 2023. The vulnerability affects all versions of the Word Balloon plugin prior to version 4.20.3 (WPScan).

The vulnerability stems from the plugin's failure to implement proper CSRF protections for certain actions. The issue has been assigned CVE-2023-5884 and is classified as CWE-352 (Cross-Site Request Forgery). The vulnerability has received a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

When exploited, this vulnerability allows an unauthenticated attacker to trick a logged-in user into deleting arbitrary avatars by simply clicking a malicious link. The attack requires user interaction but can lead to unauthorized deletion of avatar content (WPScan).

The vulnerability has been fixed in version 4.20.3 of the Word Balloon plugin. Users are strongly advised to update to this version or later to protect against this security issue (WPScan).