WordPress Plugin Vulnerabilities

Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation

Description

The plugin does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins

Proof of Concept

Affects Plugins

Plugin icon
webmaster-tools-verification
No known fix

References

CVE
CVE-2022-3538

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
337ee7ed-9ade-4567-b976-88386cbcf036

Timeline

Publicly Published
2022-10-19 (about 3 years ago)
Added
2022-10-19 (about 3 years ago)
Last Updated
2022-10-19 (about 3 years ago)

Other

Published
Title
Published
2024-04-09
Title
Post Type Builder < 2.1.4 - Subscriber+ Arbitrary Post/Page Creation
Published
2023-12-27
Title
WP Frontend Profile < 1.3.2 - Unauthenticated Privilege Escalation
Published
2025-10-12
Title
Porto Theme - Functionality <= 3.6.2 - Missing Authorization
Published
2023-11-30
Title
Quotes for WooCommerce < 2.0.2 - Missing Authorization
Published
2025-04-22
Title
JNews <= 11.6.5 - Missing Authorization