CVE-2022-1591 The WordPress Ping Optimizer plugin before 2.35.1.3.0 had no CSRF check, which could allow attackers to make a logged in admin change them.

If a logged in user visits an attacker controlled blog, a vulnerability in the WordPress plugin can be exploited to change the settings. WordPress plugin versions before 2.35.1.3.0 do not have CSRF protection in place when changing settings, which could allow an attacker to change the settings using a CSRF attack. In most cases, WordPress settings can be changed only by an admin user. This makes CSRF attacks much more dangerous, since they can be used to change any critical WordPress settings, such as database credentials. WordPress plugin versions before 2.35.1.3.0 do not have proper CSRF protection in place when updating its settings, which could allow an attacker to make a logged in admin change the settings via a CSRF attack, if a logged in user visits an attacker controlled website. WordPress plugin versions before 2.35.1.3.0 do not have proper CSRF protection in place when changing its settings, which could allow an attacker to make a logged in admin change the settings via a CSRF attack, if a logged in user visits an attacker controlled website. WordPress plugin versions before 2.35.1.3.0 do not have proper CSRF protection in place when updating its settings, which could allow an attacker to make a logged in admin change the settings via a CSRF attack, if a logged in user visits an attacker controlled website. WordPress plugin versions before 2.35.1.3.0 do not have proper CSRF protection

Details of the vulnerability

The vulnerability exists in the WordPress plugin because it does not have proper CSRF protection in place when updating its settings, which could allow an attacker to make a logged in admin change the settings via a CSRF attack, if a logged in user visits an attacker controlled website. Affected users can update their WordPress plugin to fix the issue by going to Settings > Plugins and clicking Update next to "WordPress Security Scan".
This is only one of many vulnerabilities that exist with this plugin. Users should update any vulnerable plugins immediately.

Vulnerable Devices:

The following devices are vulnerable to the issue:
* Any WordPress website running the plugin with administrator privileges
* Any WordPress website running the plugin with an anonymous user
* Any WordPress website running the plugin with a user who is not an admin

Timeline

Published on: 09/19/2022 14:15:00 UTC
Last modified on: 09/21/2022 06:25:00 UTC

References

• https://wpscan.com/vulnerability/b1a52c7e-3422-40dd-af5a-ea4c622a87aa
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1591