CVE-2022-3220 The Advanced Comment Form WordPress plugin before 1.2.1 has unsafe settings that allow high privilege users to do CSRF attacks.

After the upgrade, any site with an infected comment form will be vulnerable to CSRF attacks. It’s recommended to update your site immediately to protect yourself from these attacks. If you’re not certain if your site has been affected by this, try installing this plugin and seeing if your site is vulnerable. To update your site immediately, follow the steps here.

Install and activate the plugin

First, install this plugin. To do so, go to the following link and press “Install Now” for the version that suits your needs.
Next, activate the plugin by going to Settings > Plugins and activating it. Then return to your site and try commenting on a post again. If it gives you a warning about CSRF, update your site immediately.

HTML Injection (HTML5)

HTML injection affects the front-end of your website and can be particularly dangerous for your site’s security. It occurs when an attacker injects malicious code into a legitimate page, which is then used to execute an attack. For instance, an attacker could inject a link that takes users to their own website or redirect them to a malicious place on the web.
HTML injection is one of the most common vulnerabilities on the web, and it’s very easy to exploit. In fact, more than half of all websites have been found vulnerable to this type of attack. If you’re not careful, you could end up with hackers stealing your data or taking control over your entire website!

What is CSRF?

Cross-site request forgery (CSRF) is an attack that forces an end user on one website to execute unwanted actions on a different website that they visit. The vulnerability exists because of the way browsers and web servers interact. When a browser makes a request to a site, the browser sends its authentication details with each request in the HTTP header. A CSRF attack occurs when an attacker tricks a user into visiting a malicious site and then forces them to make requests to another site on their behalf.
An example scenario could be that your company has two sites: www.example.com and www.example2.com (where example2.com is your evil twin). An attacker would trick users into visiting your company’s idosyncratic web domain - www.example2.com - by posting links in social media or email; then they would force the users' browsers to make requests to www.example2.com instead of www.example1 .

Timeline

Published on: 10/10/2022 21:15:00 UTC
Last modified on: 10/12/2022 16:47:00 UTC

References

• https://wpscan.com/vulnerability/cb6f4953-e68b-48f3-a821-a1d77e5476ef
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3220