Scratch & Win WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Scratch & Win WordPress plugin, specifically in versions through 2.7.1. The issue arises from the reset_installation() function, which lacks proper nonce validation. This vulnerability allows unauthenticated attackers to reset the plugin's installation by sending a forged request, provided they can persuade a site administrator to click a link or perform a similar action.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can trick a user into performing actions they did not intend to, potentially leading to unauthorized changes or resets within the plugin.

Reproduction

To reproduce this vulnerability, an attacker must send a request to the WordPress site that includes the action to reset the Scratch & Win plugin installation. This request can be sent without authentication, but it must be crafted to appear as if it is coming from a trusted source. The attacker must also convince an administrator to click a link or perform an action that triggers the request, such as through a social engineering tactic.

Remediation

Users are advised to update the Scratch & Win WordPress plugin to version 2.8.0 or later, where this vulnerability has been patched.