Norby AI WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Norby AI plugin for WordPress, affecting all versions through 1.0.3. The vulnerability arises from a lack of nonce validation in the settings update feature, allowing unauthenticated attackers to manipulate the plugin's settings. Exploitation requires tricking a site administrator into clicking a link that sends a forged request, potentially injecting malicious scripts.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the plugin's settings, with the possibility of injecting malicious web scripts.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the WordPress site without a valid nonce, targeting the settings update functionality of the Norby AI plugin. This can be done by tricking an administrator into clicking a link that activates the request, similar to a phishing attack.