CVE-2023-6139: 
WordPress vulnerability analysis and mitigation

The Essential Real Estate WordPress plugin before version 4.4.0 contains a security vulnerability identified as CVE-2023-6139. The vulnerability was discovered and publicly disclosed on December 18, 2023, by Krzysztof Zając from CERT PL. This security issue affects the plugin's AJAX actions implementation, where proper capability checks are not applied, potentially exposing WordPress sites to security risks (WPScan).

The vulnerability stems from improper implementation of capability checks in the plugin's AJAX actions. It has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue is classified under CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control (NVD, WPScan).

When exploited, this vulnerability allows attackers with a subscriber-level account to conduct Denial of Service attacks against the affected WordPress installation. The impact is primarily focused on the availability aspect of the system, as reflected in the CVSS scoring which indicates high impact on availability but no direct impact on confidentiality or integrity (NVD).

The vulnerability has been fixed in version 4.4.0 of the Essential Real Estate WordPress plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk. No alternative workarounds have been publicly documented (WPScan).