CVE-2023-5957: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2023-5957 affects the Ni Purchase Order(PO) For WooCommerce WordPress plugin versions through 1.2.1. The vulnerability was discovered by Dao Xuan Hieu and was publicly disclosed on September 26, 2023. This security flaw impacts the plugin's file upload functionality in the settings area (WPScan).

The vulnerability stems from improper validation of logo and signature image files uploaded in the plugin settings. This security weakness is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability falls under the OWASP Top 10 category A1: Injection (NVD, WPScan).

When exploited, this vulnerability allows high-privileged users to upload arbitrary files to the web server, potentially leading to Remote Code Execution (RCE) through the upload of a web shell. This could result in complete compromise of the affected system, allowing attackers to execute arbitrary commands on the server (WPScan).

The vulnerability has been fixed in version 1.2.2 of the Ni Purchase Order(PO) For WooCommerce plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).