CVE-2020-8658

Name of the Vulnerable Software and Affected Versions BestWebSoft Htaccess plugin versions prior to 1.8.2

Description The issue allows for Cross-Site Request Forgery (CSRF) attacks due to incorrect validation of the htccss nonce name flag, which is supposed to pass a nonce to WordPress for anti-CSRF protection. This incorrect implementation enables an attacker to direct a victim to a malicious webpage, modifying the .htaccess file and potentially taking control of the website. The attack exploits the "wp-admin/admin.php?page=htaccess.php&action=htaccess editor" endpoint.

Recommendations For BestWebSoft Htaccess plugin versions prior to 1.8.2, update to version 1.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-admin/admin.php?page=htaccess.php&action=htaccess editor endpoint to minimize the risk of exploitation.