Blog Designer For Elementor Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress, specifically in version 1.1.7. The vulnerability arises from inadequate nonce validation in the 'bdfe_install_activate_rswpbs_only' function. This flaw allows unauthenticated attackers to install the 'rs-wp-books-showcase' plugin by sending a forged request, provided they can persuade a site administrator to click a link or perform a similar action.

Impact

Exploitation of this vulnerability could lead to unauthorized installation of plugins on the affected WordPress site.

Reproduction

To reproduce this vulnerability, an attacker must craft a forged request that exploits the missing nonce validation in the 'bdfe_install_activate_rswpbs_only' function. This request should be designed to trick a site administrator into clicking a link, which will then trigger the installation of the 'rs-wp-books-showcase' plugin without the administrator's consent.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.