CVE-2023-6066: 
WordPress vulnerability analysis and mitigation

The WP Custom Widget area WordPress plugin through version 1.2.5 contains a security vulnerability identified as CVE-2023-6066. The vulnerability was discovered by Krzysztof Zając from CERT PL and publicly disclosed on December 21, 2023. This security issue affects the plugin's AJAX action callback functions, which lack proper capability and nonce checks (WPScan).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 4.3 (MEDIUM). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges. The security flaw stems from improper implementation of capability and nonce checks in the plugin's AJAX action callback functions (NVD).

The vulnerability allows attackers with subscriber or higher privileges to perform unauthorized actions on the affected WordPress sites. Specifically, attackers can create new menus, delete existing menus, and modify menu configurations without proper authorization (WPScan).

Currently, there is no known fix available for this vulnerability in the WP Custom Widget area plugin. Site administrators using affected versions (1.2.5 or earlier) should consider either removing the plugin or implementing additional security controls to restrict access to the affected functionality (WPScan).