WordPress Page Blocks Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Page Blocks plugin for WordPress, affecting all versions through 1.1.0. The issue arises from inadequate nonce validation in the 'admin_process_widget_page_change' function, allowing unauthenticated attackers to alter widget page block settings. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in widget page block configurations, potentially allowing attackers to manipulate how content is displayed on the site.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to a WordPress site with the Page Blocks plugin installed. This request should be designed to exploit the missing nonce validation in the 'admin_process_widget_page_change' function. The attacker must trick an administrator into clicking a link that activates the forged request, which can be done by embedding the link in an email or on a web page that the administrator is likely to visit.