CVE-2023-4023 is a medium-severity authorization bypass vulnerability affecting the WordPress plugin 'All Users Messenger' up to version 1.24. The vulnerability arises because the plugin does not properly restrict message deletion functionality to administrators only. Specifically, non-administrator users are able to delete messages from the all-users messenger, which should normally be restricted to privileged users. This is classified under CWE-639, which involves authorization bypass through user-controlled keys or parameters. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting a network attack vector with low attack complexity, requiring low privileges (non-admin user), no user interaction, and impacting integrity only (message deletion). There is no indication of known exploits in the wild, and no patches or vendor advisories have been linked yet. The plugin is used within WordPress environments to facilitate messaging among users, and improper access control can lead to unauthorized message deletion, potentially disrupting communication or causing loss of important information within the platform.

For European organizations using WordPress sites with the All Users Messenger plugin, this vulnerability could lead to unauthorized deletion of messages by non-administrative users. While this does not directly compromise confidentiality or availability, it impacts data integrity and trustworthiness of communication channels. In environments where message logs are critical for compliance, auditing, or operational coordination, such unauthorized deletions could cause operational disruptions or compliance issues. Organizations relying on this plugin for internal or customer communications may face challenges in message traceability and accountability. Although the vulnerability does not allow for privilege escalation or remote code execution, the ability for lower-privileged users to delete messages could be exploited for sabotage, harassment, or to cover malicious activities. This risk is particularly relevant for organizations with multiple user roles and collaborative workflows on WordPress platforms.

European organizations should first identify if they are using the All Users Messenger plugin on their WordPress sites. Since no official patch is currently linked, immediate mitigation steps include restricting plugin usage to trusted users only and limiting user roles that have access to the messenger functionality. Administrators should review and tighten WordPress user role permissions to ensure that only trusted users have message deletion capabilities. Monitoring and logging message deletion activities can help detect unauthorized actions. If possible, temporarily disabling the plugin until a patch or update is released is advisable. Organizations should also follow WPScan and other vulnerability databases for updates or patches. Implementing a Web Application Firewall (WAF) with custom rules to detect and block unauthorized deletion requests could provide additional protection. Finally, educating users about the risk and encouraging reporting of suspicious message deletions can help mitigate impact.