Sentence To SEO WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Sentence To SEO (keywords, description and tags) plugin for WordPress, affecting all versions through 1.0. The vulnerability arises from inadequate nonce validation in the create_admin_page() function, allowing unauthenticated attackers to inject malicious scripts and alter plugin settings. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability could lead to Cross-Site Scripting (XSS) attacks, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an attacker must create a forged request that exploits the missing nonce validation. This can be done by tricking an administrator into clicking a link that sends the request without a valid nonce, thereby bypassing the plugin's security measures.