EmergencyWP WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the EmergencyWP WordPress plugin, specifically in versions through 1.4.2. The issue arises from inadequate nonce validation in the settings save handler, allowing unauthenticated attackers to manipulate various plugin settings. This includes changing the minimum access role, data-erasure-on-uninstall flag, life-check timing values, mandatory email address, confirmation page ID, and date/time formats. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability allows for unauthorized modification of plugin settings, potentially leading to unauthorized changes in user role capabilities and other critical plugin configurations.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.