AutoCatSet WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the AutoCatSet plugin for WordPress, affecting all versions through 2.1.4. The issue arises from inadequate nonce validation in the 'autocatset_ajax' function, allowing unauthenticated attackers to initiate automatic recategorization of posts. Exploitation requires tricking a site administrator into clicking a link that sends a forged request.

Impact

Exploitation of this vulnerability could lead to unauthorized recategorization of posts, potentially disrupting content organization and management.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the 'autocatset_ajax' action without a valid nonce. This can be done by tricking an administrator into clicking a link that activates the request, such as through a social engineering tactic or by embedding the link in a location where the admin is likely to click.