Latest Registered Users WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated User Data Export

A vulnerability exists in the Latest Registered Users plugin for WordPress, affecting all versions through 1.4. The issue stems from inadequate authorization and nonce validation in the 'rnd_handle_form_submit' function, which is linked to the 'admin_post_my_simple_form' and 'admin_post_nopriv_my_simple_form' actions. This flaw enables unauthenticated attackers to export full user details, excluding passwords and sensitive tokens, in CSV format by manipulating the 'action' parameter.

Impact

Exploitation of this vulnerability leads to unauthorized access and export of sensitive user information, except for passwords and certain tokens, creating a risk of data exposure.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a POST request to 'admin-post.php' with the 'action' parameter set to 'my_simple_form'. This request can be made from the 'users.php' admin page, where a button added by the plugin will initiate the export. The absence of proper authorization checks allows the export of user data without authentication.