Run Log WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Run Log plugin for WordPress, affecting all versions through 1.7.10. The issue arises from inadequate nonce validation in the 'oirl_plugin_options' function, allowing unauthenticated attackers to manipulate plugin settings. This includes changing distance units, pace display options, style themes, and display positions. The vulnerability can be exploited by tricking a site administrator into clicking a link that sends a forged request.

Impact

Exploitation of this vulnerability allows for unauthorized modification of plugin settings, which could lead to misleading information being displayed or shared.

Reproduction

To reproduce this vulnerability, an attacker must craft a request that exploits the missing nonce validation in the 'oirl_plugin_options' function. This request should be designed to change one of the vulnerable settings, such as the distance unit or pace display preference. The attacker must then trick an administrator into clicking a link that activates this forged request.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and consider a replacement.