CVE-2023-6042: 
WordPress vulnerability analysis and mitigation

CVE-2023-6042 is a security vulnerability affecting the Getwid WordPress plugin versions prior to 2.0.3. The vulnerability was discovered by Krzysztof Zając from CERT PL and publicly disclosed on December 15, 2023. The issue allows any unauthenticated user to send emails from the site with arbitrary title and content to the administrator (WPScan).

The vulnerability is classified as an authentication bypass (AUTHBYPASS) with a CVSS v3.1 base score of 7.5 (HIGH), and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. It is mapped to CWE-287 (Improper Authentication). The vulnerability exists in the email sending functionality of the Getwid plugin, where the security checks are insufficient to prevent unauthorized access (NVD, WPScan).

The vulnerability allows attackers to send arbitrary emails through the affected WordPress site to the administrator. This could be exploited for phishing attacks or social engineering by sending fake notifications that appear to come from the legitimate site (WPScan).

The vulnerability has been fixed in Getwid version 2.0.3. Users are advised to update to this version or later to mitigate the security risk (WPScan).