Xhanch My Advanced Settings WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Xhanch - My Advanced Settings plugin for WordPress, affecting all versions through 1.1.2. The vulnerability arises from a lack of nonce validation in the 'xms_setting()' function, which handles settings updates. This flaw allows unauthenticated attackers to alter plugin settings by sending a forged request, provided they can deceive a site administrator into clicking a link. The settings that can be changed include the favicon URL, Google Analytics account ID, and various WordPress behavior toggles. Notably, the 'favicon_url' and 'ga_acc_id' values are displayed on the front end without proper escaping, creating a potential for a Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS) attack chain.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in plugin settings, with the potential for Cross-Site Scripting (XSS) attacks due to unescaped output of certain settings values.