CVE-2023-23986

The WordPress plugin Reviews and Rating – Google My Business (versions prior to 4.15) contains a missing authorization vulnerability [1]. The root cause is that access control checks are improperly configured or missing entirely, allowing users to bypass intended security levels. This flaw is classified as a broken access control issue [1].

Exploitation requires some user interaction, typically a privileged user clicking a malicious link or visiting a crafted page, but can be initiated by an attacker with lower privileges. The attack vector may involve sending a crafted request that exploits the missing authorization check [1]. The vulnerability does not require special network access beyond being able to reach the WordPress admin interface.

Successful exploitation allows an attacker with lower privileges to perform actions that should require higher privilege levels, potentially leading to unauthorized data modification, configuration changes, or other administrative operations. The CVSS score of 5.4 (Medium) reflects this moderate impact [1].

The vendor has released version 4.15 which patches the vulnerability. Users are strongly advised to update immediately. For those who cannot update, Patchstack provides a mitigation rule to block exploitation attempts until the update is applied [1].