CVE-2022-40223 - How a Nonce Token Leak and Missing Authorization in SearchWP Premium <= 4.2.5 Let Attackers Change WordPress Plugin Settings

WordPress powers over 40% of the web, but its popularity also makes it a huge target. Today we’ll break down a real vulnerability—CVE-2022-40223—discovered in the popular SearchWP premium plugin (up to version 4.2.5). We’ll see how improper handling of a nonce token and missing access controls could let attackers tamper with your site’s search plugin settings.

What Is SearchWP?

SearchWP is a premium WordPress plugin that improves the search functionality of your website. It helps users find content more easily by giving you options to customize how search works behind the scenes.

What’s The Problem?

On versions up to 4.2.5, SearchWP failed to properly secure key AJAX actions. It leaked a "nonce" (a security token meant to stop CSRF attacks), and even worse, didn’t check if the user had the right permissions when changing its settings via AJAX.

With just a little effort, someone with no admin rights—or not even logged in!—could change plugin settings and potentially compromise the site’s search experience, or worse.

Original Advisories and References

- Wordfence: Missing Authorization to Sensitive Actions in SearchWP
- NVD entry for CVE-2022-40223
- Patchstack Disclosure

1. Nonce Token Leakage

WordPress uses "nonces" to make sure that form submissions or AJAX requests are coming from users who are supposed to be doing the action. SearchWP’s settings page output this token right into the page, where it could be read by any site visitor viewing source or via client-side scripts.

*Example:*

<script>
var searchwp_nonce = 'abcdef123456';
</script>

This value could often be scraped by attackers.

2. Missing Permission Checks

The vulnerable AJAX endpoint didn’t properly check if the requesting user was allowed to change settings. Here’s a simplified & fictionalized snippet, based on how these endpoints were typically coded:

add_action('wp_ajax_searchwp_save_settings', 'searchwp_save_settings_callback');

function searchwp_save_settings_callback() {
    $nonce = $_POST['_wpnonce'];
    if (!wp_verify_nonce($nonce, 'searchwp-settings')) {
        wp_send_json_error('Invalid nonce');
        return;
    }

    // Oops! Not checking current_user_can('manage_options') or similar.
    $settings = $_POST['settings'];
    update_option('searchwp_settings', $settings);

    wp_send_json_success('Settings updated!');
}

The problem: Anyone with the nonce could POST new settings—even without high-level user permissions.

d "settings[search_engine]=malicious_settings_here" \

https://victim-site.com/wp-admin/admin-ajax.php

The plugin settings get changed by someone who shouldn’t be allowed to do so.

- The attacker could mess with search results, inject strange configurations, or potentially pivot to more damaging exploits.

*Example of a secure pattern:*

if ( ! current_user_can('manage_options') ) {
    wp_send_json_error('Insufficient permissions');
    return;
}

Am I Vulnerable? What Should I Do?

- If you use SearchWP: Update to at least version 4.2.6. Check your site for any unexpected changes to plugin settings.
- General advice: Always keep plugins up-to-date, restrict admin panel access, and watch your site for odd behavior.

Final Thoughts

CVE-2022-40223 is a perfect example of why both nonce security and access controls matter. Leaking a nonce isn’t just a theoretical problem—it can bridge right to a full site compromise if other checks are missing.

Keep your plugins updated, and don’t assume that a nonce alone is enough.

References

- NVD Entry
- Wordfence Advisory
- Patchstack Report

*Stay safe, update your plugins, and remember: security is everyone’s job!*

Timeline

Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 13:56:00 UTC