Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation

An unauthenticated attacker can send a crafted request to the WordPress admin AJAX endpoint that triggers the plugin's plugin-deactivation routine. Because the plugin lacks both authorization checks (CWE-862) and CSRF nonce validation, no authentication or user interaction is required [ref_id=1]. The attacker simply needs to know or guess the slug of the target plugin to disable it.

The advisory does not specify exact file paths or function names [ref_id=1]. The vulnerable functionality resides within the Webmaster Tools Verification plugin (slug: webmaster-tools-verification) version 1.2 and earlier, in the code path that handles plugin deactivation requests.

No patch has been published by the vendor; the advisory notes "No known fix" [ref_id=1]. To remediate the vulnerability, the plugin should add a capability check (e.g., current_user_can('activate_plugins')) and a CSRF nonce verification before processing any plugin-deactivation action. Until a patched version is released, site administrators should disable or remove the plugin.