Notify Odoo WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Notify Odoo plugin for WordPress, affecting all versions through 1.0.1. The vulnerability arises from inadequate nonce validation in the '_updateSettings' function, allowing unauthenticated attackers to manipulate settings such as the Notify Odoo URL, notification preferences, tracking image options, and allowed IP addresses. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the WordPress site's Notify Odoo plugin settings, potentially allowing for malicious URLs to be introduced or for notification behaviors to be altered in a harmful way.

Reproduction

To reproduce this vulnerability, an attacker must craft a forged request that exploits the missing nonce validation in the '_updateSettings' function. This can be done by tricking a site administrator into clicking a link that activates the forged request, which can be facilitated through social engineering tactics.

Remediation

Users are advised to update the Notify Odoo WordPress plugin to version 1.0.2 or later, where this vulnerability has been patched.