CVE-2023-6529: 
WordPress vulnerability analysis and mitigation

CVE-2023-6529 affects the WP VR WordPress plugin versions before 8.3.15. The vulnerability was discovered by Krzysztof Zając from CERT PL and was publicly disclosed on December 14, 2023. This security issue impacts the WordPress plugin's authorization mechanisms and involves Cross-Site Request Forgery (CSRF) vulnerabilities (WPScan).

The vulnerability stems from improper authorization and CSRF protection in a function hooked to admin_init. The issue allows unauthenticated users to downgrade the plugin to previous versions that contain known XSS vulnerabilities. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness is categorized under CWE-79 (Cross-site Scripting) and CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to force a plugin downgrade, which can lead to both Reflected and Stored Cross-Site Scripting (XSS) attacks, as previous versions of the plugin contain such vulnerabilities. This creates a potential security risk for affected WordPress installations (WPScan).

The vulnerability has been fixed in version 8.3.15 of the WP VR plugin. Site administrators should update to this version or later to protect against this security issue. It's worth noting that version 3.8.15 only partially fixed the issue due to an incorrect capability check being implemented (WPScan).