WP Film Studio < 1.3.5 - Arbitrary Plugin Activation via CSRF

An attacker crafts a malicious page or link that, when visited by a logged-in WordPress administrator, silently submits a forged request to the WP Film Studio plugin's activation endpoint [ref_id=1]. Because the plugin lacks a CSRF check [CWE-352], the administrator's browser sends the request with their valid session cookies, causing an arbitrary plugin already present on the blog to be activated without the administrator's knowledge or consent [ref_id=1]. The attack requires no special network position beyond the ability to deliver the crafted payload to the victim administrator.

The advisory does not specify the exact file or function name within the WP Film Studio plugin that handles plugin activation without a CSRF check [ref_id=1]. The vulnerable code is present in versions before 1.3.5.

The advisory states the vulnerability is fixed in version 1.3.5 of the WP Film Studio plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve adding a CSRF nonce check (e.g., using WordPress's `wp_nonce_field()` and `check_admin_referer()`) to the plugin activation handler so that the request is only processed when accompanied by a valid, user-specific nonce [ref_id=1].

1. Ensure a target plugin (e.g., `malicious-plugin/malicious-plugin.php`) is installed on the WordPress site but not activated. 2. Craft an HTML page that auto-submits a form to `wp-admin/plugins.php?action=activate&plugin=malicious-plugin/malicious-plugin.php&_wpnonce=<valid_nonce>` — however, because the WP Film Studio plugin lacks its own CSRF check, the attacker may instead target the plugin's own activation AJAX endpoint if one exists. 3. Lure a logged-in administrator to visit the crafted page. 4. The arbitrary plugin becomes activated without the administrator's consent [ref_id=1].