Friendly Functions for Welcart WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Friendly Functions for Welcart WordPress plugin, affecting all versions through 1.2.5. The vulnerability arises from inadequate nonce validation on the settings page, allowing unauthenticated attackers to manipulate plugin settings by tricking an administrator into clicking a link.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the plugin settings, potentially allowing for further exploitation or misuse of the WordPress site.

Reproduction

To reproduce this vulnerability, an attacker must craft a request that exploits the missing nonce validation. This can be done by tricking a site administrator into clicking a link that sends the forged request to update the plugin settings.

Remediation

Users are advised to update the Friendly Functions for Welcart plugin to version 1.2.6 or later.