Rabbit Hole WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Rabbit Hole plugin for WordPress, affecting all versions through 1.1. The issue arises from inadequate nonce validation on the plugin's reset feature, allowing unauthenticated attackers to manipulate the plugin's settings. Exploitation requires tricking a site administrator into clicking a link, but the risk is heightened because the reset action is executed via a GET request, making it easy to exploit with image tags or hyperlinks.

Impact

Exploitation of this vulnerability allows for unauthorized resetting of the plugin's settings, potentially disrupting configured behaviors or preferences.

Reproduction

To reproduce this vulnerability, an attacker must craft a link that initiates a GET request to reset the Rabbit Hole plugin's settings. This link can be sent to a WordPress site administrator, who, upon clicking it, will unwittingly reset the plugin's configuration. The absence of proper nonce validation allows this action to be performed without authentication.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.