If you use WordPress and rely on Google PageSpeed Insights Plugin to boost your site speed, you might have been at risk without even knowing it. In this article, we’ll break down CVE-2022-1672: a Cross Site Request Forgery (CSRF) vulnerability found in Insights from Google PageSpeed plugin before version 4..7. We’ll go over what CSRF is, why this bug was dangerous, show you a (safe, educational) code snippet, and link to the original disclosures. All in plain English.
What Is CVE-2022-1672?
CVE-2022-1672 is a security flaw found in the Insights from Google PageSpeed WordPress plugin versions before 4..7. This plugin helps admins see how fast their WordPress site is, straight from the admin dashboard.
The vulnerability:
The plugin did not check for something called a CSRF token before doing important actions—like deleting custom PageSpeed URLs. Without this check, a hacker could trick an admin into deleting things on the website without the admin realizing.
What is CSRF (Cross Site Request Forgery)?
CSRF is a security attack where a hacker tricks a logged-in user (often an admin) into doing something they didn’t mean to do on a website. This can happen if the user clicks a special link or visits a malicious web page.
The target is logged in to the vulnerable site.
- The site does not verify if requests come from a legitimate source (usually checked with a CSRF token).
If these conditions are met, a bad actor can make the victim’s browser send unwanted commands—like deleting custom URLs.
Why Does the Google PageSpeed WordPress Plugin Bug Matter?
Custom URLs in the PageSpeed plugin help admins track specific URLs or resources on their site. Deleting these could mess with speed analysis, tracking, or website optimization.
Example attack:
A hacker could create a webpage with hidden code. If a WordPress admin (who's logged in) visits the site, they could (without knowing) trigger deletion of custom PageSpeed analysis URLs.
Result:
How the Vulnerability Works (With Example Code)
The actual problem is missing CSRF (nonce) verification in the function that deletes custom URLs. Here’s a simplified version of what went wrong:
Vulnerable code (before 4..7)
// Handling a delete request (simplified example)
if (isset($_POST['delete_custom_url'])) {
$url_id = intval($_POST['url_id']);
delete_custom_url($url_id);
}
There’s no check here like
// Secure way (should include CSRF/nonce check)
if (isset($_POST['delete_custom_url']) && check_admin_referer('delete_url_action')) {
$url_id = intval($_POST['url_id']);
delete_custom_url($url_id);
}
A hacker could set up a form on another website like this
<form method="POST" action="https://vulnerablesite.com/wp-admin/admin.php?page=pagespeed-insights">;
<input type="hidden" name="delete_custom_url" value="1">
<input type="hidden" name="url_id" value="123"> <!-- id of URL to delete -->
<input type="submit" value="Click Me!">
</form>
If the logged-in admin is tricked into clicking this form or auto-submitting it, custom URLs could be deleted!
References & Official Details
- Official CVE Entry - CVE-2022-1672
- Plugin Vulnerabilities Report
- WordPress.org Plugin Page
Update the Plugin: Make sure you use v4..7 or later of Insights from Google PageSpeed.
2. Check for Nonces: If you develop plugins, *always* check for valid WordPress nonces before doing sensitive actions.
Be Suspicious: Don’t click unknown links or forms, especially when logged in as admin.
4. Regular Plugin Audits: Use tools like WPScan or other vulnerability scanners.
Conclusion
CVE-2022-1672 is a stark reminder of how small security omissions can cause big problems. Luckily, updating the plugin to v4..7 blocks this attack. Always keep plugins updated—and if you build WordPress tools, make CSRF checks a habit!
Timeline
Published on: 07/17/2022 11:15:00 UTC
Last modified on: 07/18/2022 12:10:00 UTC