Web Accessibility by accessiBe WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web Accessibility by accessiBe plugin for WordPress, affecting all versions through 2.10. The vulnerability arises from inadequate nonce validation on several AJAX actions, including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This lack of validation allows unauthenticated attackers to manipulate plugin settings and generate verification files by sending forged requests, provided they can deceive a site administrator into clicking a link or performing a similar action.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in plugin settings and the creation of verification files on behalf of an administrator.

Reproduction

To reproduce this vulnerability, an attacker must exploit the missing nonce validation by sending a forged request that triggers one of the vulnerable AJAX actions. This can be done by tricking a site administrator into clicking a link that activates the request, similar to a phishing attack.

Remediation

Users are advised to update the Web Accessibility by accessiBe plugin to version 2.11 or later.