CVE-2023-7199: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-7199) affects the Relevanssi WordPress plugin before version 4.22.0 and Relevanssi Premium WordPress plugin before version 2.25.0. The vulnerability allows any unauthenticated user to read draft and private posts through a crafted request. This security issue was discovered by Krzysztof Zając from CERT PL and was publicly disclosed on January 4, 2024 (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) and falls under the CWE-639 (Authorization Bypass Through User-Controlled Key) category. It has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (NVD).

The vulnerability allows unauthorized access to draft and private posts on WordPress sites running affected versions of the Relevanssi plugin. This represents a significant privacy concern as content intended to be private or unpublished could be exposed to any user (WPScan).

The vulnerability has been patched in Relevanssi version 4.22.0 and Relevanssi Premium version 2.25.0. Site administrators are strongly advised to update to these versions or later to protect their sites from unauthorized access to draft and private posts (Relevanssi Release Notes).