Anomify AI WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Anomify AI – Anomaly Detection and Alerting plugin for WordPress, affecting versions through 0.3.6. The vulnerability allows for Stored Cross-Site Scripting (XSS) due to the absence of nonce verification on the settings page handler and inadequate output escaping in the admin_options.php template. The settings form fails to include a nonce field, and the handler does not perform a referer check, enabling cross-origin POST requests to alter plugin settings. The API key field is only sanitized with a basic text sanitation function, which removes HTML tags but does not encode double-quote characters. This unsanitized value is then directly echoed into an HTML attribute without proper escaping, allowing injection of scripts that are executed in the administrator's browser when the settings page is accessed.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an attacker must trick a logged-in administrator into visiting a page that the attacker controls. This page should be designed to submit a forged POST request to the WordPress site, targeting the Anomify AI plugin's settings page. The absence of nonce verification allows this cross-origin request to go through, modifying the plugin's settings. Once the injected script is stored in the database, it will execute in the administrator's browser whenever the settings page is opened.