### Vulnerability Summary: Auto Post Scheduler **1. Vulnerability Overview** * **Vulnerability Name:** Cross-Site Request Forgery (CSRF) in Auto Post Scheduler * **Affected Software:** Auto Post Scheduler (WordPress Plugin) * **CVSS Score:** 9.8 (Critical) * **Vulnerability Type:** Cross-Site Request Forgery (CSRF) / CWE-11 (Broken Access Control) * **Description:** The plugin is vulnerable to CSRF in versions 1.18 and earlier due to a missing nonce check on the `auto_post_scheduler_action` hook. This allows an attacker to trick a logged-in user with the 'administrator' role into performing unintended actions, requiring no additional privileges. * **Potential Impact:** The sidebar mentions that vulnerabilities in this plugin can be exploited to achieve Remote Code Execution (RCE), and the plugin is associated with 24 active WordPress vulnerabilities. **2. Impact/Scope** * **Affected Versions:** Versions earlier than 1.18 (< 1.18) * **Affected User Role:** Registered users with the 'administrator' role **3. Remediation** * **Recommended Action:** Update the Auto Post Scheduler plugin to the latest version. **4. POC/Exploit** * No specific Proof of Concept (PoC) code or exploit script is provided in the screenshot.