CVE-2023-6042 is a high-severity vulnerability classified under CWE-287 (Improper Authentication) affecting the Getwid product. The vulnerability allows any unauthenticated user to send emails from the affected site to the administrator with arbitrary titles and content. This means that the application does not properly verify the identity or authorization of users before allowing the email-sending functionality to be used. The CVSS 3.1 base score of 7.5 reflects a high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to integrity (I:H) as the attacker can manipulate the content of emails sent to the admin, but confidentiality and availability are not directly affected. The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component. No patches or known exploits in the wild have been reported as of the publication date (January 8, 2024). The vulnerability likely arises from a missing or flawed authentication check in the email sending functionality of Getwid, which is a WordPress plugin known for providing blocks and enhancements for the Gutenberg editor. Attackers exploiting this vulnerability could send phishing or spam emails appearing to originate from the site, potentially leading to social engineering attacks or administrative confusion.

For European organizations using the Getwid plugin, this vulnerability poses a significant risk to the integrity of internal communications and administrative processes. Attackers could exploit this flaw to send deceptive emails to site administrators, potentially leading to phishing attacks, unauthorized actions based on manipulated email content, or reputational damage if such emails are perceived as legitimate. Although the vulnerability does not directly compromise confidentiality or availability, the ability to impersonate the site in communications can facilitate further attacks, including social engineering or spear-phishing campaigns targeting European entities. Organizations relying on WordPress sites with Getwid blocks, especially those with critical administrative workflows tied to email notifications, may experience operational disruptions or security incidents stemming from this vulnerability.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include disabling or restricting the email-sending functionality of the Getwid plugin until a patch is released. Administrators should audit and monitor outgoing emails for suspicious or unauthorized content. Implementing web application firewalls (WAF) with rules to detect and block anomalous email-sending requests can reduce exploitation risk. Additionally, organizations should enforce strict access controls on WordPress admin areas and consider multi-factor authentication to limit the impact of any phishing attempts resulting from this vulnerability. Regularly updating WordPress and all plugins, including Getwid, once patches become available is critical. Finally, educating administrators about this vulnerability and potential phishing tactics can reduce the likelihood of successful social engineering attacks.