WC Sales Notification < 1.2.3 - Arbitrary Plugin Activation via CSRF

An attacker crafts a malicious page or link that, when visited by a logged-in WordPress administrator, silently submits a forged request to activate an arbitrary plugin already present on the blog [ref_id=1]. The WC Sales Notification plugin fails to include or verify a CSRF token in its plugin activation handler, so the browser automatically attaches the admin's session cookies and the request is processed as legitimate [CWE-352]. The attack requires no special network position beyond the ability to trick an admin into visiting the attacker-controlled resource.

The advisory does not specify the exact file or function name. The vulnerable code is the plugin activation handler within the WC Sales Notification plugin (versions before 1.2.3) that lacks a CSRF check [ref_id=1].

The advisory states the vulnerability is fixed in version 1.2.3 of the WC Sales Notification plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve adding a CSRF nonce check (e.g., `check_admin_referer()`) to the plugin activation callback so that the action only proceeds when accompanied by a valid, user-specific token. Administrators should update to version 1.2.3 or later.

1. Ensure a WordPress administrator is logged into the target site. 2. Craft an HTML page containing a form that submits a POST request to the WordPress admin AJAX endpoint with the action parameter set to activate an arbitrary plugin (e.g., `action=activate&plugin=malicious-plugin/malicious-plugin.php`). 3. Host the page and lure the administrator into visiting it. 4. The administrator's browser sends the request with their session cookies, and the plugin activation succeeds without a CSRF nonce check [ref_id=1].