WordPress Resource Library for Logged In Users Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Resource Library for Logged In Users plugin for WordPress, affecting all versions through 1.4. The vulnerability arises from inadequate nonce validation on several administrative functions, allowing unauthenticated attackers to exploit it. By deceiving a site administrator into clicking a link, an attacker could perform unauthorized actions such as creating, editing, or deleting resources and categories.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the resource and category management of the affected WordPress site, allowing for the creation, modification, or deletion of these items without proper authorization.

Reproduction

To reproduce this vulnerability, an attacker must craft a request that exploits the missing nonce validation. This can be done by tricking an administrator into clicking a link that carries the forged request, which could be facilitated through social engineering or by embedding the request in a way that the administrator unwittingly approves it.