Animated Pixel Marquee Creator WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Animated Pixel Marquee Creator plugin for WordPress, affecting all versions through 1.0.0. The vulnerability arises from a lack of nonce validation in the marquee deletion function, allowing unauthenticated attackers to delete arbitrary marquees by sending a forged request. This exploitation requires tricking a site administrator into clicking a link.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can perform actions on behalf of an authenticated user, potentially leading to unauthorized changes or deletions.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the WordPress site with the 'marquee' parameter, targeting the deletion function of the Animated Pixel Marquee Creator plugin. The request must be crafted to appear as if it is coming from an authenticated user, such as a site administrator. This can be achieved by tricking the administrator into clicking a link that contains the forged request, exploiting the absence of nonce validation to authorize the deletion of a marquee without proper verification.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.