CVE-2023-6369 is a medium-severity vulnerability affecting the WordPress plugin 'Export WP Page to Static HTML/CSS' developed by recorp. The vulnerability arises from a missing authorization check (CWE-862) on multiple AJAX actions within the plugin, present in all versions up to and including 2.1.9. Specifically, the plugin fails to verify whether the authenticated user has the appropriate capabilities before allowing access to certain AJAX endpoints. This flaw enables any authenticated user with subscriber-level privileges or higher to perform unauthorized actions such as disclosing sensitive information or modifying advanced plugin settings. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and no UI is required (UI:N). The CVSS v3.1 base score is 5.4, reflecting limited confidentiality and integrity impact without affecting availability. Exploitation could lead to leakage of sensitive data managed by the plugin or unauthorized configuration changes that may weaken the security posture of the affected WordPress site. No known exploits are reported in the wild as of the publication date (January 11, 2024).

For European organizations using WordPress websites with the 'Export WP Page to Static HTML/CSS' plugin, this vulnerability poses a moderate risk. Unauthorized disclosure of sensitive data could include configuration details or other information stored or processed by the plugin, potentially aiding further attacks. Modification of plugin settings by low-privileged users could lead to misconfigurations that degrade security or operational integrity. Since WordPress is widely used across Europe for corporate, governmental, and e-commerce sites, exploitation could undermine trust, cause data leaks, or disrupt website functionality. Organizations with subscriber-level user roles on their WordPress sites are particularly at risk, as these users could leverage the vulnerability to escalate privileges or extract sensitive information. The impact is more pronounced for sites handling personal data subject to GDPR, as unauthorized data exposure could lead to regulatory penalties and reputational damage.

To mitigate this vulnerability, European organizations should immediately update the 'Export WP Page to Static HTML/CSS' plugin to a patched version once available. In the absence of an official patch, administrators should restrict subscriber-level user capabilities or remove unnecessary user accounts with such privileges. Implementing strict role-based access control (RBAC) and auditing user permissions can reduce the attack surface. Additionally, monitoring AJAX requests to detect anomalous or unauthorized access attempts targeting the plugin's endpoints can help identify exploitation attempts. Web application firewalls (WAFs) can be configured to block suspicious AJAX calls or limit access to authenticated users with verified roles. Regular security assessments and plugin audits should be conducted to ensure no other missing authorization issues exist. Finally, organizations should maintain comprehensive logging to facilitate incident response if exploitation occurs.