The TextP2P Texting Widget plugin for WordPress suffers from a CSRF vulnerability due to the absence of nonce validation in the imTextP2POptionPage() function responsible for processing settings updates. Specifically, the form handling settings changes lacks a wp_nonce_field(), and the POST request handler does not verify the nonce using check_admin_referer() or wp_verify_nonce(). This flaw allows an attacker to craft a forged request that, if executed by an authenticated administrator, can update all plugin settings including sensitive configurations such as API credentials and reCAPTCHA settings. The vulnerability affects all versions up to 1.7 and has a CVSS 3.1 score of 4.3 (medium severity). No patch or official fix has been documented in the vendor advisory or other sources.

An attacker who successfully exploits this CSRF vulnerability can cause an authenticated administrator to unknowingly change plugin settings. This includes modifying chat widget titles, messages, API credentials, colors, and reCAPTCHA configuration. While the vulnerability does not directly allow code execution or data disclosure, unauthorized changes to API credentials and security settings could facilitate further attacks or service disruption. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch or official fix is released, administrators should be cautious about clicking links from untrusted sources while logged into WordPress with administrative privileges. Monitoring for plugin updates and applying them promptly when available is recommended. No vendor-provided mitigation or temporary fix is currently documented.