In the ever-evolving landscape of web security, WordPress plugins are frequent targets for vulnerability exploits due to their sheer popularity. One such weakness was found in the Simple SEO plugin by David Cole (versions 1.8.12 and below). Tracked as CVE-2022-44627, this flaw is a Cross-Site Request Forgery (CSRF) vulnerability that can be abused by attackers to create or delete sitemaps on a target WordPress site without the user's consent.

In this post, we’ll break down how this vulnerability works, show real exploit examples, and link to original references. Security professionals, plugin users, and developers will all benefit from understanding this exploit—let’s dive in.

What Is CSRF?

CSRF stands for Cross-Site Request Forgery. It’s when an attacker tricks a logged-in user into performing actions on a web application without their consent—like changing an email, deleting content, or, in this case, creating/deleting sitemaps.

CSRF attacks are possible when web apps don’t verify whether a request came from an authorized user or origin. Adding a unique, session-based token is a usual protection, but Simple SEO missed this step.

Affected Versions: 1.8.12 and below

- WordPress Plugin URL: https://wordpress.org/plugins/simple-seo/

Vulnerability Summary

If an authenticated admin visits a malicious website while logged into their WordPress dashboard, attackers could make them submit requests to create or delete sitemaps—without any confirmation or security token required.

Attackers abuse this by sending specially made links or forms to target users with sufficient privileges.

How Simple SEO Handles Sitemap Actions

In the admin area, the Simple SEO plugin provided functionality to generate or delete sitemaps through direct GET or POST requests. Unfortunately, these functions did not check for WordPress nonces (security tokens meant to prevent CSRF).

Vulnerable Code Snippet (from plugin’s PHP)

if ( isset($_GET['simple_seo_action']) ) {
    if ( 'create_sitemap' === $_GET['simple_seo_action'] ) {
        simple_seo_generate_sitemap();
    }
    if ( 'delete_sitemap' === $_GET['simple_seo_action'] ) {
        simple_seo_delete_sitemap();
    }
}

What’s missing?
No verification to ensure action requests came from the site's admin interface (i.e., no nonce check).

They trick an admin into visiting their crafted page (via an email, message, or any other method).

3. If the admin is already logged into their WordPress dashboard, the exploit triggers and runs actions in the admin's context. The attacker doesn’t need direct access to the site.

Example (Change the URL to your victim’s site)

<!-- Auto-create sitemap CSRF exploit -->
<img src="https://example.com/wp-admin/admin.php?page=simple-seo&simple_seo_action=create_sitemap"; alt="" />
<!-- Auto-delete sitemap CSRF exploit -->
<img src="https://example.com/wp-admin/admin.php?page=simple-seo&simple_seo_action=delete_sitemap"; alt="" />

The <img> tag makes a GET request as soon as the page is loaded.

- Since there’s no nonce check, WordPress processes the request as if it was done intentionally by the admin.

Note

A POST request can also be used with a hidden form, but since the plugin acts on GET requests, the <img> trick is quick and simple.

Force regeneration of sitemaps, possibly with changes they prepared—or delete them to disrupt SEO.

- Push the site admin to unwittingly participate in further attacks (imagine malformed sitemaps uploaded).

Fix Status and Recommendations

This vulnerability was fixed in newer versions of the Simple SEO plugin. Users should immediately update to the latest version to stay safe.

References

- Original Plugin Page (WordPress.org)
- Patchstack Vulnerability Report
- CVE-2022-44627 Details (NVD)
- OWASP CSRF Explanation

Final Thoughts

CVE-2022-44627 is a good lesson: even simple plugins can open the door to effective attacks if security basics are skipped. Don’t delay updates, and if you make plugins, always validate requests thoroughly.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 13:06:00 UTC