The SIP Calculator plugin for WordPress, developed by mgplugin, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2024-12555. This vulnerability exists in all versions up to and including 1.0 due to the absence of nonce validation on a critical function within the plugin. Nonce validation is a security mechanism used in WordPress to ensure that requests are intentional and originate from legitimate users. Without this protection, an attacker can craft a malicious web request that, when executed by an authenticated site administrator (e.g., by clicking a specially crafted link), causes the plugin to perform unintended actions. Because the vulnerability does not require the attacker to be authenticated and only requires user interaction, it poses a risk of unauthorized changes or injection of malicious scripts. The CVSS v3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction, and partial impact on confidentiality and integrity with no impact on availability. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-352, a common web security weakness related to CSRF attacks. This issue highlights the importance of implementing nonce checks in WordPress plugin development to prevent unauthorized state-changing requests.

Organizations running WordPress sites with the mgplugin SIP Calculator plugin are at risk of unauthorized actions being performed on their sites if an attacker successfully tricks an administrator into clicking a malicious link. Potential impacts include unauthorized modification of plugin settings or data, injection of malicious scripts, or other unintended state changes that could compromise site integrity or confidentiality. While the vulnerability does not directly affect availability, the integrity and confidentiality impacts could facilitate further attacks such as privilege escalation or data leakage. The risk is amplified in environments where administrators have high privileges and where the plugin is actively used for critical business functions. Since exploitation requires user interaction, social engineering is a key factor, which could be leveraged in targeted attacks. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

To mitigate this vulnerability, plugin developers should implement proper nonce validation on all state-changing functions to ensure requests are legitimate and intentional. Site administrators should update the plugin as soon as a patch is released. Until a patch is available, administrators should minimize exposure by limiting plugin usage, restricting administrative access, and avoiding clicking on suspicious or unsolicited links. Employing web application firewalls (WAFs) with rules to detect and block CSRF attempts can provide additional protection. Security awareness training for administrators to recognize phishing and social engineering attempts is critical. Regular security audits of plugins and monitoring for unusual administrative actions can help detect exploitation attempts early. Finally, consider disabling or removing the SIP Calculator plugin if it is not essential to reduce the attack surface.