WP Customer Area < 8.1.4 - Unauthorised Actions via CSRF
CVE-2022-4745

7.1HIGH

Key Information:

Vendor: Wordpress
Status: WP Customer Area
Vendor: CVE Published:; 13 February 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The WP Customer Area plugin for WordPress prior to version 8.1.4 is vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient checks during specific actions such as creating directories, changing file permissions, and copying files. This lack of protection can be exploited by an attacker to trick an authenticated administrator into performing unintended actions, potentially resulting in unauthorized file manipulation and the creation of arbitrary folders within the affected WordPress installation.

Affected Version(s)

WP Customer Area 0 < 8.1.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-4745 - Proof of Concept

References

https://wpscan.com/vulnerability/9703f42e-bdfe-4787-92c9-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Feb 13, 2023
👾
Exploit known to exist
Feb 13, 2023
Vulnerability published
Feb 13, 2023
Vulnerability Reserved
Dec 27, 2022

Credit

rezaduty

WPScan