Today, the WordPress plugin Child Theme Generator was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin. We found the plugin lacks protection against cross-site request forgery (CSRF), which could allow an attacker to cause a logged in Administrator to take action they didn’t intend. Among those is the ability to cause them to delete arbitrary directories on the server the website is on.

When the plugin’s admin page is accessed (which is limited to Administrators) the file /admin/class-child-theme-generator-admin.php is loaded and that in turn causes the function section_remove() in the file to run: [Read more]