WordPress Plugin Vulnerabilities

Change wp-admin Login < 1.1.0 - Unauthenticated Arbitrary Settings Update

Description

The plugin does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector

Proof of Concept

Affects Plugins

Plugin icon
change-wp-admin-login
Fixed in 1.1.0

References

CVE
CVE-2022-1589

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
257f9e14-4f43-4852-8384-80c15d087633

Timeline

Publicly Published
2022-05-09 (about 3 years ago)
Added
2022-05-09 (about 3 years ago)
Last Updated
2022-05-09 (about 3 years ago)

Other

Published
Title
Published
2025-12-16
Title
Ultimate Member < 2.11.1 - Authenticated (Subscriber+) Profile Privacy Setting Bypass
Published
2023-10-18
Title
BetterLinks < 1.6.1 - Improper Authorization to Data Import and Export
Published
2023-05-12
Title
WPCS – WordPress Currency Switcher Professional < 1.2.0 - Subscriber+ Missing Authorization Checks
Published
2021-09-28
Title
AutomatorWP < 1.7.6 - Missing Authorization and Privilege Escalation
Published
2025-04-16
Title
Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products < 2.7.8 - Unauthenticated Sensitive Information Exposure