Automate Hub Free by Sperse.IO WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Automate Hub Free by Sperse.IO plugin for WordPress, affecting all versions through 1.7.0. The vulnerability arises from inadequate nonce validation on the 'automate_hub' page, allowing unauthenticated attackers to manipulate activation statuses by tricking site administrators into clicking a link.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can impersonate a user and perform actions on their behalf, potentially leading to unauthorized changes in the WordPress admin area.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the 'automate_hub' page, bypassing the nonce validation. This can be done by tricking an administrator into clicking a link that contains the malicious request, such as through email or a compromised website.

Remediation

No known patch is available for this vulnerability. It is recommended to uninstall the affected plugin and find a replacement.