Cross-Site Request Forgery Vulnerability in Permalink Manager Lite Plugin for WordPress
CVE-2022-4021

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Permalink Manager Lite
Vendor: CVE Published:; 16 November 2022

Summary

The Permalink Manager Lite plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation in the extra_actions function. This vulnerability allows unauthorized attackers to manipulate plugin settings, including permalinks and site maps, if they can deceive an admin into initiating a forged request, such as clicking on a malicious link. Proper nonce validation is critical to prevent such actions and safeguard user control over the plugin's functionality.

Affected Version(s)

Permalink Manager Lite * <= 2.2.20.1

References

https://plugins.trac.wordpress.org/changeset/2818142#file34

https://www.wordfence.com/vulnerability-advisories-contin...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 16, 2022
Vulnerability Reserved
Nov 16, 2022

Credit

Marco Wotschka