Purchase and Expense Manager WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Purchase and Expense Manager plugin for WordPress, affecting all versions up to and including 1.1.2. The vulnerability arises from a lack of nonce validation in the 'sup_pt_handle_deletion' function, allowing unauthenticated attackers to delete arbitrary purchase records. Exploitation requires tricking a site administrator into clicking a link that initiates the deletion.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of purchase records from the WordPress database.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the 'sup_pt_handle_deletion' function without a valid nonce. This can be done by tricking an administrator into clicking a link that activates the request, such as through a phishing email or a malicious website.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.