DX Sources WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the DX Sources plugin for WordPress, affecting all versions through 2.0.1. The issue arises from inadequate nonce validation in the 'settings_page_build' function, allowing unauthenticated attackers to manipulate a logged-in administrator into sending a forged request that alters the plugin's settings. Exploitation requires tricking the administrator into clicking a link or performing a similar action.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can manipulate a user's actions without their consent, potentially leading to unauthorized changes in the WordPress site's configuration or content.

Reproduction

To reproduce this vulnerability, an attacker must exploit the lack of proper nonce validation in the 'settings_page_build' function. This can be done by sending a forged request to a logged-in administrator, tricking them into clicking a link that submits the request. The forged request can then be used to modify the plugin's settings, taking advantage of the administrator's privileges.