Cross-Site Request Forgery in ElasticPress Plugin for WordPress
CVE-2021-4405
4.3MEDIUM
What is CVE-2021-4405?
The ElasticPress plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation in the epio_send_autosuggest_allowed() function. This vulnerability may allow unauthorized attackers to leverage forged requests to manipulate autosuggest features on elasticpress[.]io if they deceive a site administrator into executing an action, such as clicking a malicious link. This raises significant security concerns for WordPress sites utilizing ElasticPress, as it opens the door for unauthorized actions without proper authentication.
Affected Version(s)
ElasticPress * <= 3.5.3