CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
What the vulnerability does
The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
Homerunner versions up to 1.0.30 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unwanted actions on behalf of authenticated users. The vulnerability requires user interaction—typically clicking a malicious link or visiting a compromised page. An attacker cannot read or delete data, but can modify site content or settings if a logged-in admin or user visits their crafted page.
What an attacker can do
Perform unwanted actions (modify content, change settings) on behalf of a logged-in user who visits a malicious page.
Potential impact on your site
Admins or users could unknowingly make changes to site content or configuration if tricked into visiting a malicious link while logged in.
Conditions required to exploit
Target user must be logged in and click a link or visit a page controlled by the attacker.
Key dates
External resources
Related vulnerabilities
