CVE-2022-4021 The Permalink Manager lite plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation in versions up to 2.2.20.1.

This occurs because the plugin does not perform nonce checking, which makes it possible for attackers to submit crafted requests and perform actions such as changing a site’s permalinks or site map settings. A Cross-Site Request Forgery (CSRF) vulnerability in Permalink Manager Lite plugin for WordPress could be exploited by hackers to make unauthorized changes to a website's settings. Permalink Manager Lite plugin for WordPress versions 2.2.20 and below are vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation in the extra_actions function. An attacker could exploit this by forging a request and tricking administrator of the website into performing an action such as changing the settings of a permalink structure. Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation in the extra_actions function. An attacker could exploit this by forging a request and tricking administrator of the website into performing an action such as changing the settings of a permalink structure. Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation in the extra_actions function. An attacker could exploit this by forging a request and tricking administrator of the website into performing an action such as changing the settings of a permalink structure

Summary of a vulnerability

A Cross-Site Request Forgery vulnerability was found in the Permalink Manager Lite plugin for WordPress. This allows an attacker to trick a website’s administrator into performing an action such as changing the settings of a permalink structure.

Exploitation of Cross-Site Request Forgery vulnerability

CSRF vulnerabilities can be exploited to perform actions such as changing a site’s permalinks or site map settings. An attacker could exploit this to gain access to sensitive information such as user credentials and make unauthorized changes on the website.

Products Affected

WordPress Permalinks plugin versions 2.2.20 and below are vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation in the extra_actions function.

How Cross-Site Request Forgery (CSRF) Works?

CSRF is a type of vulnerability that enables attackers to perform actions on the targeted website without user interaction. Typically, a CSRF attack takes place when an attacker tricks a vulnerable website's browser into sending requests to the target website on their behalf by manipulating the site's URL.

Timeline

Published on: 11/16/2022 14:15:00 UTC
Last modified on: 11/18/2022 04:45:00 UTC

References