Aruba HiSpeed Cache WordPress Plugin Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in the Aruba HiSpeed Cache WordPress plugin, affecting versions prior to 3.0.5. The vulnerability arises because the plugin's AJAX handlers for resetting options, debugging status, and cache purging do not properly validate WordPress nonces for state-changing requests. This oversight allows an attacker to trick a logged-in administrator into executing unauthorized actions, such as resetting plugin settings, altering the WP_DEBUG configuration, or changing cache purging behaviors, all without the administrator's knowledge.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in plugin settings, WordPress debugging configurations, or cache management behaviors, potentially disrupting website performance or functionality.