CVE-2019-15650

Vulnerability

The Easy Updates Manager plugin (stops-core-theme-and-plugin-updates) before version 8.0.5 for WordPress contains a nonce check error that leads to insufficient restrictions on option changes [1]. This flaw allows an attacker to modify plugin settings, such as disabling unattended theme updates, without proper authorization. The vulnerability affects all versions prior to 8.0.5.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the WordPress site. The nonce validation is flawed, so the attacker can bypass the intended security check and alter plugin options. No authentication is required; the attacker only needs network access to the site. The request includes the desired option changes and a manipulated nonce value.

Impact

Successful exploitation allows the attacker to change critical plugin settings, including disabling automatic updates for themes, plugins, or WordPress core. This can leave the site vulnerable to known exploits that would otherwise be patched by updates. The attacker gains the ability to control update behavior, potentially increasing the risk of compromise.

Mitigation

The vulnerability is fixed in version 8.0.5 of the Easy Updates Manager plugin [1]. Users should update to this version or later immediately. If updating is not possible, consider temporarily deactivating the plugin until a patch can be applied. No other workarounds are documented.