WordPress Option Editor Plugin Cross-Site Request Forgery Vulnerability

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Option Editor plugin for WordPress, specifically in version 1.0. The issue arises from a lack of nonce validation in the plugin_page() function, allowing unauthenticated attackers to manipulate arbitrary options on a WordPress site. Exploitation requires tricking an administrator into clicking a link, which could then be used to, for example, change the default user role for new registrations to administrator, potentially granting admin access to the attacker.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in WordPress site options, including user roles, which could allow attackers to gain administrative access on the site.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.1

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.1

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Option Editor Plugin Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Affected Products

Option Editor

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating