A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Webpushr Plugin. This vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication.

This vulnerability was discovered and responsibly reported by Theodoros Malachias.

The vulnerability is a CSRF vulnerability that occurs in the webpushr.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user requests to force higher privileged users to execute unwanted actions.

Severity:

The vulnerability has a CVSS 3.1 score of 8.8, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

Unfortunately, as of the latest report, there is no patched version available for the Webpushr Plugin, and there has been no response from the plugin vendor. However, it’s important to note that this vulnerability has been reported to the WordPress Plugins Review Team, which plays a pivotal role in the resolution of such security concerns.

Impact:

An attacker who successfully exploits this vulnerability could:

  • Force a higher privileged user to make changes to the website’s configuration.
  • Force a higher privileged user to delete data from the website.
  • Force a higher privileged user to perform other actions that they would not normally perform.

Recommendation:

Users of the Webpushr Plugin are strongly advised to uninstall the plugin and find an alternative solution. There is no patched version available, and the vendor has not responded to reports of the vulnerability. The vulnerability has been reported to the WordPress plugins review team.

To ensure the WordPress website remains secure in the face of this immediate threat, it’s urgent to take the following actions:

  1. Disable or Remove the Plugin: Given the absence of a patched version and vendor response, consider disabling or removing the Webpushr Plugin from the website. While this may temporarily affect functionality, it is an essential step to protect the site and its users.
  2. Explore Alternatives: Investigate alternative plugins that provide similar functionality while maintaining robust security standards. Prioritize plugins that are actively maintained and consistently updated.
  3. Monitor Updates: Continue to monitor developments related to the Webpushr Plugin. As soon as a fixed version becomes available, be prepared to promptly update the plugin.
  4. Enhance Security Measures: Implement web application firewalls (WAFs) and other security solutions to fortify your site against potential CSRF attacks and other security threats.