TextP2P Texting Widget WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the TextP2P Texting Widget plugin for WordPress, affecting all versions up to and including 1.7. The vulnerability arises from inadequate nonce validation in the 'imTextP2POptionPage()' function, which handles settings updates. Specifically, the form does not include a nonce field, and the POST handler fails to verify the nonce before applying changes. This oversight allows unauthenticated attackers to manipulate plugin settings, such as chat widget titles, messages, API credentials, colors, and reCAPTCHA configurations, by tricking a site administrator into performing a certain action, like clicking a link.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in plugin settings, potentially allowing attackers to modify chat widget configurations and API credentials.

Reproduction

To reproduce this vulnerability, an attacker must craft a forged request that exploits the missing nonce validation. This can be done by tricking a site administrator into clicking a link that sends the request without the necessary nonce verification. Once the request is processed, the attacker can manipulate various plugin settings, including chat widget titles, messages, API credentials, colors, and reCAPTCHA options.