I lurk at LET every day but I don't post very often because I'm the silent type of guy and English is not my first nor second language. Thanking was a very good way for me to 'interact' with other members. Since noone seems to be working on a fix, I figured I'd try to fix it myself.
I was aware for quite a while now that there's a CSRF exploit on the thank plugin that enables you to make others thank you without them having to click the thank you button. I never thought of reporting it so I don't know if it's the same thing that @gsrdgrdghd found and reported to @Chief
Anyway here's my attempt at fixing it:
https://github.com/macr/ThankfulPeople
I've only modified a few lines, I basically added the check for the TransientKey before adding the "thank".
see what I've changed:
https://github.com/macr/ThankfulPeople/commit/3ae895b8ab738868a88a8b05bed8ebd73e43fa79
@gsrdgrdghd
Can you confirm if it's the same exploit you found?
@Chief
Any chance you can test and implement it if it solved the exploit?