CVE-2023-5953: 
WordPress vulnerability analysis and mitigation

CVE-2023-5953 affects the Welcart e-Commerce WordPress plugin versions before 2.9.5. The vulnerability was discovered and publicly disclosed on November 10, 2023. The plugin contains a file upload vulnerability that affects the file handling mechanism in its AJAX functionality (WPScan).

The vulnerability stems from inadequate file validation mechanisms and missing authorization and CSRF protections in an AJAX action that handles file uploads. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability allows any authenticated user, including those with low-privilege roles such as subscribers, to upload arbitrary files including PHP files to the server. This could potentially lead to remote code execution if an attacker successfully uploads and executes malicious PHP files (WPScan).

The vulnerability has been fixed in version 2.9.5 of the Welcart e-Commerce plugin. Users are strongly advised to update to this version or later to protect against potential exploitation (WPScan).