WordPress MaxButtons plugin <= 9.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Vulnerability

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities exist in the MaxButtons plugin for WordPress, version 9.2 and earlier [1]. These flaws allow an attacker to trick an authenticated administrator into performing unintended actions, such as modifying button settings or deleting buttons, without their knowledge.

Exploitation

To exploit the vulnerability, an attacker must convince a logged-in WordPress administrator to click a crafted link or visit a malicious webpage while authenticated to the admin panel [1]. No additional privileges are required beyond the victim having an active session. The attacker can then force the victim to unknowingly execute arbitrary actions within the MaxButtons plugin.

Impact

Successful exploitation enables an attacker to perform arbitrary actions on behalf of the victim administrator, including creating, editing, or deleting buttons and potentially changing plugin settings [1]. This could lead to website defacement, data loss, or further compromise of the WordPress installation.

Mitigation

The vulnerabilities are fixed in version 9.3 or later [1]. The current latest version (9.8.5) is not affected. Administrators should update the plugin to the latest available version. No workarounds have been disclosed.