AI Scribe WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the AI Scribe WordPress plugin, specifically in versions 2.3 and prior. The issue arises from inadequate nonce validation on the 'al_scribe_content_data' action, allowing unauthenticated attackers to manipulate plugin settings. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the plugin's settings, potentially allowing for further exploitation or misuse of the plugin's features.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the 'al_scribe_content_data' action via 'admin-ajax.php'. This request can be crafted to include the necessary data for updating the plugin's settings. The attack must be orchestrated in a way that convinces an administrator to click a link or perform an action that triggers the forged request, effectively bypassing the missing nonce validation.

Remediation

Users are advised to update the AI Scribe WordPress plugin to version 2.5, where this vulnerability has been addressed.