WP Quick Contact Us WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WP Quick Contact Us plugin for WordPress, affecting all versions through 1.0. The vulnerability arises from a lack of nonce validation in the settings update process, allowing unauthenticated attackers to manipulate the plugin's settings by tricking a site administrator into clicking a link or performing a similar action.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the plugin's settings, which could lead to unauthorized actions being performed on behalf of the user.

Reproduction

To reproduce this vulnerability, an attacker must craft a forged request that exploits the missing nonce validation. This can be done by creating a link that, when clicked by an administrator, sends a request to update the plugin's settings without the required nonce. The absence of validation allows the settings to be changed without the administrator's knowledge or consent.