PayPal Forms WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the PayPal Forms plugin for WordPress, affecting all versions through 1.0.3. The vulnerability arises from a lack of nonce validation in the form creation and management functions, allowing unauthenticated attackers to create new PayPal forms and alter payment settings. Exploitation requires tricking a site administrator into clicking a link or performing a similar action.

Impact

Exploitation of this vulnerability could lead to unauthorized creation and modification of PayPal forms and payment settings on the affected WordPress site.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to a WordPress site with the PayPal Forms plugin installed, targeting the form creation or management functions. The request should be crafted to include the necessary data for creating or modifying a PayPal form, but without the required nonce for validation. The attacker must then trick an administrator into executing the request, such as by clicking a link.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.