Google PageRank Display WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Google PageRank Display plugin for WordPress, affecting versions through 1.4. The issue arises from inadequate nonce validation in the 'gpdisplay_option()' function, which manages the plugin's settings page. The absence of a 'wp_nonce_field()' in the settings form, coupled with the form handler's failure to invoke 'check_admin_referer()' or 'wp_verify_nonce()' before processing POST requests, enables unauthenticated attackers to manipulate a logged-in administrator into submitting a forged request. This could result in unauthorized changes to the plugin's settings, such as the display style of the PageRank badge.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can trick a user into performing actions they did not intend to, potentially leading to unauthorized changes in the plugin's settings.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.