CVE-2023-6979: 
WordPress vulnerability analysis and mitigation

The Customer Reviews for WooCommerce plugin for WordPress (CVE-2023-6979) contains a critical vulnerability affecting all versions up to and including 5.38.9. The vulnerability was discovered and disclosed on January 11, 2024, impacting the plugin's file upload functionality in the ivole_import_upload_csv AJAX action (NVD).

The vulnerability stems from missing file type validation in the ivole_import_upload_csv AJAX action, which allows for arbitrary file uploads. The severity is rated as HIGH with a CVSS v3.1 base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability enables authenticated attackers with author-level access or higher to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution, allowing attackers to take control of the affected WordPress installation (NVD).

Users should immediately update their Customer Reviews for WooCommerce plugin to a version newer than 5.38.9 to address this vulnerability. The issue has been patched in subsequent releases (Wordfence).