MPWizard WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Arbitrary Post Deletion

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the MPWizard – Create Mercado Pago Payment Links plugin for WordPress, affecting all versions through 1.2.1. The vulnerability arises from inadequate nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This flaw enables unauthenticated attackers to delete arbitrary posts by sending a forged request, provided they can persuade a site administrator to click a link or perform a similar action.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of posts by tricking an administrator into performing a specific action.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to a WordPress site using the MPWizard plugin. This request should include the necessary parameters to delete a post, such as the post ID and a nonce that has not been properly validated. The attacker must then convince an administrator to click a link that triggers this request, effectively bypassing the intended security measures.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.