Motordesk
Monthly
Cross-Site Request Forgery in the MotorDesk WordPress plugin (all versions ≤ 1.1.2) allows unauthenticated remote attackers to overwrite critical plugin configuration settings by tricking a logged-in administrator into clicking a crafted link. The vulnerable function motordesk_admin_home in motordesk_admin.php lacks proper WordPress nonce validation, meaning the server accepts state-changing POST requests without confirming the administrator intentionally submitted them. No public exploit code has been identified at time of analysis; the CVSS 4.3 Medium score accurately reflects the social-engineering dependency, though the custom template directory path setting warrants secondary scrutiny for potential path traversal chaining.
Cross-Site Request Forgery in the MotorDesk WordPress plugin (all versions ≤ 1.1.2) allows unauthenticated remote attackers to overwrite critical plugin configuration settings by tricking a logged-in administrator into clicking a crafted link. The vulnerable function motordesk_admin_home in motordesk_admin.php lacks proper WordPress nonce validation, meaning the server accepts state-changing POST requests without confirming the administrator intentionally submitted them. No public exploit code has been identified at time of analysis; the CVSS 4.3 Medium score accurately reflects the social-engineering dependency, though the custom template directory path setting warrants secondary scrutiny for potential path traversal chaining.