Ally Web Accessibility and Usability WordPress Plugin Cross-Site Request Forgery Vulnerability
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Ally – Web Accessibility & Usability plugin for WordPress, affecting all versions through 3.8.0. The vulnerability arises from inadequate nonce validation in the 'enable_unfiltered_files_upload' function, allowing unauthenticated attackers to manipulate file upload settings. Exploitation requires tricking a site administrator into performing an action, such as clicking a link, which would then enable unfiltered file uploads and allow the addition of SVG files to the upload list.
Impact
Exploitation of this vulnerability could lead to unauthorized file uploads, specifically SVG files, which could potentially be used for malicious purposes, such as executing harmful scripts or compromising the site.
Remediation
Users are advised to update the Ally – Web Accessibility & Usability WordPress plugin to version 3.8.1 or a later patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.