Coil Web Monetization WordPress Plugin Cross-Site Request Forgery Vulnerability
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Coil Web Monetization plugin for WordPress, affecting all versions through 2.0.2. The vulnerability arises from inadequate nonce validation on the 'coil-get-css-selector' parameter within the 'maybe_restrict_content' function. This flaw allows unauthenticated attackers to invoke CSS selector detection by sending a forged request, provided they can persuade a site administrator to click a link or perform a similar action.
Impact
Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of a user, potentially allowing attackers to manipulate content or settings within WordPress.
Reproduction
To reproduce this vulnerability, an attacker must send a forged request that includes the 'coil-get-css-selector' parameter. This can be done by tricking a site administrator into clicking a link that activates the request, such as through a phishing email or a malicious website.
Remediation
No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.