mCatFilter WordPress Plugin Cross-Site Request Forgery Vulnerability
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the mCatFilter plugin for WordPress, affecting all versions up to and including 0.5.2. The vulnerability arises from the lack of nonce verification and capability checks in the compute_post() function, which handles settings updates. This function is invoked on every page load through the plugins_loaded hook, processing $_POST data to change plugin settings via update_option() without any CSRF token validation. As a result, unauthenticated attackers can alter various plugin settings, such as category exclusion rules and feed exclusion flags, by sending a forged POST request that tricks a site administrator into clicking a link.
Impact
Exploitation allows for unauthorized modification of all plugin settings, including category and feed exclusion rules.
Remediation
No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.