CVE-2018-11632

Name of the Vulnerable Software and Affected Versions MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin version 1.0.8

Description An issue in the plugin allows an attacker to change its settings via a crafted URL, exploiting a CSRF vulnerability in the wp-admin/admin-post.php endpoint. This can be achieved by tricking an admin user into visiting the malicious URL, potentially through spear phishing or social engineering tactics. The whatsapp share setting add update() function lacks a nonce or capability check, making it vulnerable to such attacks.

Recommendations For MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin version 1.0.8, consider disabling the whatsapp share setting add update() function until a patch is available to prevent exploitation. Restrict access to the wp-admin/admin-post.php endpoint to minimize the risk of CSRF attacks.