CVE-2023-7202: 
WordPress vulnerability analysis and mitigation

CVE-2023-7202 affects the Fatal Error Notify WordPress plugin versions before 1.5.3. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on January 30, 2024. The plugin lacks proper authorization and CSRF checks in its test_error AJAX action, making it susceptible to exploitation (CleanTalk Research, WPScan).

The vulnerability stems from missing authorization and Cross-Site Request Forgery (CSRF) checks in the plugin's test_error AJAX action. The CVSS base score is 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and falls under the OWASP Top 10 category A5: Broken Access Control (CISA-ADP).

When exploited, this vulnerability allows any authenticated user, including those with subscriber-level access, to spam the admin email address with error messages. The attack can involve sending large volumes of HTML-coded messages, potentially leading to email disruption and possible blocking of the WordPress site's email functionality due to suspicious activity (CleanTalk Research).

The vulnerability has been patched in version 1.5.3 of the Fatal Error Notify plugin. Site administrators should update to this version or later to mitigate the risk. Recommended security measures include implementing CSRF tokens, email rate limiting, user confirmation mechanisms for critical actions, and security headers such as Content Security Policy (CleanTalk Research).