PhpList Subber WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the PhpList Subber plugin for WordPress, affecting all versions through 1.1. The issue arises from inadequate nonce validation in the 'bulk_action_handler' function, allowing unauthenticated attackers to manipulate bulk synchronization of subscription forms. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability could lead to unauthorized bulk synchronization of subscription forms, potentially allowing attackers to manipulate subscription data without proper authorization.

Reproduction

To reproduce this vulnerability, an attacker must create a forged request that exploits the missing nonce validation in the 'bulk_action_handler' function. This can be done by tricking a site administrator into clicking a link that activates the forged request, thereby initiating the bulk synchronization process without proper authorization.