CVE-2019-11886

Vulnerability

The WaspThemes Visual CSS Style Editor plugin (yellow-pencil-visual-theme-customizer) for WordPress versions before 7.2.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the yp_option_update AJAX action. This allows an attacker to trick an authenticated administrator into unknowingly executing unintended actions, such as modifying plugin settings or triggering remote requests via the yp_remote_get function [1][2].

Exploitation

An attacker can craft a malicious link or page that, when visited by an authenticated WordPress administrator, sends a forged request to the yp_option_update endpoint. By including the yp_remote_get parameter, the attacker can force the server to make arbitrary HTTP requests, potentially to internal or external resources. No additional authentication or user interaction beyond the admin visiting the crafted link is required.

Impact

Successful exploitation allows an attacker to perform actions with the privileges of the targeted administrator. By leveraging the yp_remote_get functionality, the attacker can obtain admin-level access, potentially leading to full site compromise, including data disclosure, file manipulation, or further privilege escalation.

Mitigation

The vulnerability is fixed in version 7.2.1 of the plugin. Users should update to this version or later immediately. No workarounds are documented in the available references. The plugin is no longer actively maintained, and users should consider alternative solutions if updates are not available.