MMA Call Tracking WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the MMA Call Tracking plugin for WordPress, affecting all versions up to and including 2.3.15. The vulnerability arises from a lack of nonce validation when saving plugin settings on the admin page. This flaw allows unauthenticated attackers to alter call tracking configurations by sending a forged request, provided they can deceive a site administrator into clicking a link.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the call tracking settings of the affected WordPress site.

Reproduction

To reproduce this vulnerability, an attacker must trick a site administrator into clicking a link that sends a request to the WordPress site without the necessary nonce validation. This can be done by creating a forged request that appears to come from the administrator, using social engineering tactics to persuade them to click the link.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.