Call To Action WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Call To Action Plugin for WordPress, affecting all versions through 3.1.3. The vulnerability arises from inadequate nonce validation in the 'cbox_options_page()' function, which manages the saving, creation, and deletion of plugin settings. The settings page form lacks a nonce field, and the save handler fails to verify the nonce or check the admin referer before updating settings via the WordPress database abstraction layer. This oversight allows unauthenticated attackers to alter various plugin settings, including the call-to-action box title, content, link URL, image URL, colors, and other configuration options, by sending a forged request that tricks a site administrator into clicking a link.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can manipulate plugin settings without authorization.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to a WordPress site with the vulnerable Call To Action Plugin installed. The request should be crafted to include the desired changes to the plugin settings, such as the call-to-action box title, content, link URL, image URL, colors, or other configuration options. The attacker must then trick an administrator into clicking a link that activates the forged request, thereby applying the unauthorized changes.