WordPress MyCryptoCheckout Plugin <= 2.125 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the MyCryptoCheckout plugin for WordPress, versions 2.125 and earlier. The plugin fails to implement proper CSRF tokens or validation mechanisms in its administrative functions, allowing an attacker to trick an authenticated administrator into performing unintended actions.

Exploitation

To exploit this vulnerability, an attacker must craft a malicious link or web page that, when visited by an authenticated administrator, sends forged requests to the WordPress site. The attacker does not need any special privileges beyond the ability to host a web page or send a link. The victim must be logged into the WordPress admin panel and interact with the attacker-controlled content.

Impact

Successful exploitation could result in unauthorized modification of plugin settings, configuration changes, or other actions performed with the administrator's privileges. The confidentiality, integrity, and availability of the site could be affected depending on the forged action performed (e.g., changing payment addresses, disabling security features, or altering transaction settings).

Mitigation

Users should update to version 2.126 or later, where the CSRF issue is addressed. The official plugin repository [1] provides the latest version. As of the publication date, no other workarounds are documented; updating the plugin is the recommended mitigation.