In February 2022, a vulnerability identified as CVE-2022-25952 was discovered in the popular WordPress plugin Keywordrush Content Egg, versions up to 5.4.. The flaw was classified as a Cross-Site Request Forgery (CSRF), potentially enabling attackers to trick admin users into performing unintended actions, such as changing plugin settings.

If you use Content Egg for affiliate marketing or price comparison on your site, this vulnerability could put your entire WordPress installation at risk. Let’s break down how this bug works, how it was exploited, and how you can protect yourself.

What Is CSRF?

Cross-Site Request Forgery (CSRF) tricks an authenticated user into unknowingly executing actions on a site where they’re logged in. In WordPress, this often means attackers can get an admin to visit a malicious page, triggering dangerous changes like altering plugin settings or even adding new admins.

What is Content Egg?

Content Egg by Keywordrush is a plugin used for affiliate websites, allowing users to add product information, deals, and offers from many sources. It's very popular in price comparison and affiliate marketing sites.

Details of the Vulnerability

CVE-2022-25952 arises because the Content Egg plugin did not implement proper nonce verification (a security token in WordPress) on some of its forms/actions in the WordPress Dashboard. This means a malicious site could send POST requests to your WordPress site if you, an admin, are logged in and visit their site.

Impact:  
Any admin action that should be protected by a security token could be abused. Examples include changing plugin settings, adding modules, or entering API keys.

You visit a malicious website in another tab.

3. That site silently sends a POST request to your site’s plugin settings endpoint—using your logged-in session.

Example Exploit

Here is a simplified code snippet of a CSRF proof-of-concept (PoC) that could exploit the vulnerability in Content Egg:

<!--
Save this as csrf.html, then open it in your browser while logged into a target site’s wp-admin. 
DEMO: This is educational only!
-->
<html>
  <body>
    <form action="https://victim-site.com/wp-admin/options-general.php?page=content-egg-settings"; method="POST" id="csrf_form">
      <input type="hidden" name="setting_1" value="attacker_value">
      <input type="hidden" name="setting_2" value="attacker_value_2">
      <!-- More hidden fields, as desired -->
    </form>
    <script>
      document.getElementById('csrf_form').submit();
    </script>
  </body>
</html>

What does this do?

- When an admin visits this page while authenticated on their site, it automatically submits the form to their WP admin area.
- Because Content Egg (<= 5.4.) does not check the request's legitimacy, the settings are changed as if the admin had done it.

Why Did This Happen?

Content Egg, like many older plugins, forgot to use check_admin_referer() or similar nonce verification for some admin actions.

What’s a nonce?  
It’s a special token generated by WordPress to confirm a user really meant to submit a form. If the nonce is missing or invalid, the action gets blocked.

If an attacker can send a POST request without a valid nonce, the plugin can't tell the difference between the real admin and the attacker’s tricked request.

Official References

- Original CVE record: CVE-2022-25952
- Patchstack advisory
- Content Egg Changelog

Vendor Patch

The Content Egg team addressed this issue by adding nonce verification in the affected actions after version 5.4.. Always update your plugins!

// Example fix:
if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'update_content_egg_settings' ) ) {
    wp_die( 'Nonce verification failed!' );
}

Only allow trusted users to access your admin dashboard.

3. Consider using extra security plugins like Wordfence or Sucuri to monitor for CSRF attacks.

Conclusion

CVE-2022-25952 reminds us that even powerful WordPress plugins can be vulnerable if they skip basic security measures. If you use Content Egg, update immediately. If you develop plugins, always use nonces to protect admin actions.

- CVE-2022-25952 (NIST NVD)
- Patchstack Disclosure
- WordPress Plugin Security Best Practices
- Content Egg on WordPress.org


*Exclusively written for your security awareness: please use this information responsibly!*

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 14:08:00 UTC