WordPress Locatoraid Store Locator Plugin <= 3.9.11 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

The Locatoraid Store Locator plugin for WordPress versions up to and including 3.9.11 is vulnerable to Cross-Site Request Forgery (CSRF). This vulnerability exists due to missing or insufficient nonce validation on certain administrative actions, allowing an attacker to trick an authenticated administrator into performing unintended actions. [1]

Exploitation

An attacker can craft a malicious link or page that, when visited by an authenticated administrator, triggers a forged request to the WordPress admin area. The attacker does not need any special privileges beyond the ability to deliver the CSRF payload (e.g., via social engineering or a compromised site). The victim must have an active session and be logged in as an administrator. [1]

Impact

Successful exploitation allows the attacker to perform state-changing operations on the affected WordPress site, such as modifying plugin settings, adding or deleting locations, or other actions available to the administrator. This can lead to unauthorized data modification or site defacement. The impact is limited to actions the victim administrator can perform. [1]

Mitigation

The vulnerability is fixed in version 3.9.69 and later. Users should update to the latest version (3.9.70 as of the reference) immediately. No workarounds are documented. The plugin is actively maintained. [1]