The Themify Store Locator plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2024-12414. This vulnerability exists in all versions up to and including 1.1.9 due to missing or incorrect nonce validation in the setting_page() function, which handles administrative settings changes. Nonces in WordPress are security tokens used to verify that requests to change settings originate from legitimate users and not from forged requests. The absence or improper implementation of nonce validation allows an attacker to craft a malicious link or webpage that, when visited by an authenticated site administrator, triggers unauthorized changes to the plugin’s settings without their consent. Since the attacker does not need to be authenticated, the attack vector relies solely on social engineering to induce the administrator to perform the action. The vulnerability affects the integrity of the plugin’s configuration but does not directly expose sensitive data or disrupt service availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that the attack is network-based, requires low attack complexity, no privileges, but requires user interaction, and impacts integrity only. No patches or exploits are currently publicly available, but the risk remains significant for sites using this plugin without mitigation.

The primary impact of this vulnerability is unauthorized modification of the Themify Store Locator plugin settings by an attacker who tricks an administrator into clicking a malicious link. This can lead to configuration changes that may degrade site functionality, redirect users, or facilitate further attacks such as injecting malicious content or enabling other vulnerabilities. While confidentiality and availability are not directly affected, integrity compromise can undermine trust in the website and potentially open pathways for additional exploitation. Organizations running WordPress sites with this plugin are at risk of unauthorized administrative changes that could affect user experience and site security. The medium CVSS score reflects moderate risk, but the ease of exploitation via social engineering and the widespread use of WordPress make this a relevant threat for many websites globally.

To mitigate this vulnerability, organizations should immediately update the Themify Store Locator plugin to a version that includes proper nonce validation once available. Until a patch is released, administrators should implement the following specific measures: 1) Restrict administrative access to trusted networks or VPNs to reduce exposure to CSRF attacks. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious POST requests targeting the plugin’s settings page. 3) Educate administrators about the risks of clicking unsolicited links and encourage verification of URLs before interaction. 4) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts that could facilitate CSRF. 5) Regularly audit plugin settings and logs for unauthorized changes. 6) Consider disabling or removing the plugin if it is not essential to reduce attack surface. These targeted actions go beyond generic advice by focusing on access control, user awareness, and proactive monitoring specific to this vulnerability.