CVE-2023-6048 is a vulnerability identified in the Estatik Real Estate Plugin for WordPress, affecting versions prior to 4.1.1. The core issue is a missing authorization control (CWE-862) that allows users with low privileges, such as subscribers, to modify certain site options by setting them to a value of 1. This unauthorized modification capability can disrupt the normal functioning of the website, potentially leading to a denial of service (DoS) condition when critical options are reset improperly. The vulnerability does not impact confidentiality or integrity directly but severely affects availability by enabling low-privileged users to break site functionality. The CVSS v3.1 score assigned is 6.5 (medium severity), reflecting the network exploitable nature (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but a high impact on availability (A:H). No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability arises from insufficient permission checks within the plugin's code that fail to restrict option changes to authorized users only. This flaw could be exploited remotely by authenticated users with minimal privileges, making it a significant risk for WordPress sites using this plugin, especially those that allow subscriber-level registrations.

For European organizations using WordPress sites with the Estatik Real Estate Plugin, this vulnerability poses a risk primarily to site availability. Attackers with subscriber-level access, which can be obtained through legitimate registration or compromised accounts, can disrupt site operations by resetting critical options. This could lead to service outages, loss of user trust, and potential revenue impact, especially for real estate businesses relying on their online presence for client engagement and listings. While the vulnerability does not expose sensitive data or allow data tampering, the denial of service impact can degrade user experience and damage brand reputation. Additionally, organizations subject to strict uptime and service availability requirements under European regulations (e.g., GDPR's availability principle) may face compliance challenges if service disruptions occur. The risk is heightened for sites with open registration policies or weak user account controls.

European organizations should immediately verify if their WordPress installations use the Estatik Real Estate Plugin and check the plugin version. If running a version prior to 4.1.1, they should upgrade to the latest patched version as soon as it becomes available. In the absence of an official patch, administrators should restrict subscriber-level permissions to prevent unauthorized option changes, possibly by customizing user roles or employing security plugins that enforce stricter capability controls. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious option modification requests can provide temporary protection. Regularly auditing user accounts and limiting subscriber registrations can reduce the attack surface. Monitoring site logs for unusual option change activities is also recommended. Finally, organizations should maintain a robust backup and recovery plan to restore site functionality quickly if a DoS condition is triggered.