We recently found that the GoDaddy Email Marketing plugin had contained a cross-site request forgery (CSRF) vulnerability that could have caused all the data associate with the plugin to be deleted.

When the debug mode of the plugin is enabled the option to do a “cache reset” or a “hard reset” is made available. The “hard reset” would cause all of the data in the plugin to be deleted. As of version 1.1.2, a request for the URL /wp-admin/options-general.php?page=gem-settings&action=debug-reset would cause that to happen. As you can see, there is no nonce included in that URL, which is what is used to prevent CSRF in WordPress (there also was no check to make sure that a valid nonce was included before processing the request). Without that, if you could get a logged in administrator to visit that URL directly or cause them to send a request to that URL from a page you control, then all the data would be deleted. [Read more]