WordPress Extra Block Design, Style, CSS for ANY Gutenberg Blocks Plugin <= 0.2.6 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability exists in the Extra Block Design, Style, CSS for ANY Gutenberg Blocks plugin (stylist) for WordPress. Affected versions are 0.2.6 and earlier [1]. The plugin has been closed and removed from the WordPress.org directory as of December 12, 2022, with the closure reason listed as 'Security Issue' [1].

Exploitation

An attacker can craft a malicious link or webpage that, when visited by an authenticated WordPress administrator, triggers a forged request to perform unintended actions within the plugin's settings or functions. No direct authentication or network position beyond standard web access is required for the attacker; the attack relies on social engineering to trick the victim into clicking the crafted link or visiting the malicious site while logged into WordPress.

Impact

Successful exploitation allows the attacker to perform state-changing operations on the target WordPress site, such as altering plugin settings or injecting malicious CSS/scripts, potentially leading to privilege escalation or site compromise. The scope is limited to actions the victim administrator can perform, as the CSRF leverages the victim's session.

Mitigation

No patched version has been released; the plugin is closed and no longer available from the official WordPress.org directory. Users are advised to uninstall the plugin immediately. No workaround is provided by the vendor. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.