OceanWP WordPress Theme Cross-Site Request Forgery Vulnerability Allowing Unauthorized Plugin Installation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the OceanWP theme for WordPress, specifically in versions 4.0.9 prior to 4.1.1. The issue arises from inadequate nonce validation in the 'oceanwp_notice_button_click' function, enabling unauthenticated attackers to install the Ocean Extra plugin. This exploitation requires tricking a site administrator into clicking a link that initiates the malicious request.

Impact

Exploitation of this vulnerability allows for unauthorized installation of the Ocean Extra plugin, which could be misused to execute further malicious actions, such as deploying harmful code or backdoors, or altering site settings to reduce security. In e-commerce contexts, this could lead to fraudulent transactions or customer data theft. For corporate or membership sites, there could be unauthorized data access or site defacement.

Reproduction

To reproduce this vulnerability, send a POST request to 'wp-admin/admin-ajax.php' without a valid nonce. Include the 'action' parameter set to 'oceanwp_notice_button_click'. This can be automated with a script that simulates a button click in the admin interface.

Remediation

Users are advised to update the OceanWP theme to version 4.1.2 or later.