Web to SugarCRM Lead WordPress Plugin Cross-Site Request Forgery Vulnerability
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web to SugarCRM Lead plugin for WordPress, affecting all versions through 1.0.0. The vulnerability arises from a lack of nonce validation in the custom field deletion feature, allowing unauthenticated attackers to delete custom fields by sending a forged request that tricks a site administrator into clicking a link.
Impact
Exploitation of this vulnerability allows for Cross-Site Request Forgery, enabling the deletion of custom fields without proper authorization.
Reproduction
To reproduce this vulnerability, an attacker must send a forged request to delete a custom field, including the necessary parameters to bypass the nonce validation. This can be done by tricking an administrator into clicking a link that activates the request, such as through a crafted email or message.
Remediation
Users are advised to update the Web to SugarCRM Lead plugin to version 1.0.1 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.