wp-greet WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the wp-greet plugin for WordPress, affecting all versions through 6.2. The vulnerability arises from inadequate nonce validation, allowing unauthenticated attackers to manipulate settings and inject malicious scripts by tricking an administrator into clicking a link.

Impact

Exploitation of this vulnerability could lead to Cross-Site Scripting (XSS) attacks, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, an attacker must exploit the missing nonce validation by sending a forged request to a WordPress site with the wp-greet plugin installed. This can be done by tricking an administrator into clicking a link that contains the malicious payload, which could be achieved through social engineering or by exploiting other vulnerabilities that allow for such manipulation.

Remediation

Users are advised to update the wp-greet plugin to version 6.3 or later, where this vulnerability has been patched.