WP Ultimate Map WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WP Ultimate Map plugin for WordPress, affecting versions through 1.1. The issue arises from the absence of nonce validation in the 'process_init' function, which is triggered during the 'admin_init' action. This function saves various plugin settings, including zoom level and geographic focus, using the 'update_option' function. The vulnerability allows unauthenticated attackers to manipulate plugin settings and inject arbitrary scripts by exploiting the lack of validation and sanitization, particularly with the 'zoom-level' parameter.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in plugin settings and the injection of malicious scripts that are executed in the context of the user.

Reproduction

To reproduce this vulnerability, send a forged request to a WordPress site with the WP Ultimate Map plugin installed, targeting the 'process_init' function. Include the 'save-setting' POST parameter and the 'zoom-level', 'focus-lat', and 'focus-lng' values. If successful, the injected script will be executed on the settings page.