WP-Redirection WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WP-Redirection plugin for WordPress, affecting all versions up to and including 1.0.3. The vulnerability arises from the lack of a nonce field in the admin settings form and the absence of nonce verification in the 'displayWPRedirectionManagementPage()' function. This oversight allows unauthenticated attackers to manipulate logged-in administrators into clicking malicious links, which can result in unauthorized creation, modification, or deletion of URL redirection rules in the plugin's database.

Impact

Exploitation of this vulnerability allows for unauthorized changes to be made to the redirection rules, potentially leading to malicious redirects.

Reproduction

To reproduce this vulnerability, an attacker can send a crafted link to a logged-in administrator. This link, when clicked, will trigger the 'displayWPRedirectionManagementPage()' function without proper nonce verification, allowing the attacker to manipulate redirection rules in the database.