Themes Vulnerabilities

Ask Me < 6.8.4 - CSRF in Edit Profile

Description

The theme does not perform nonce checks when processing POST requests to the Edit Profile page, allowing an attacker to trick a user to change their profile information by sending a crafted request.

Version 6.8.2 introduced nonce checks, but these are bypassed when the 'mobile' parameter is passed as well.

Proof of Concept

Affects Themes

ask-me
Fixed in 6.8.4

References

CVE
CVE-2022-1251

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WPScan team
Submitter
Harald Eilertsen
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
34b3fc35-381a-4bd7-87e3-f1ef0a15a349

Timeline

Publicly Published
2022-08-01 (about 3 years ago)
Added
2022-08-01 (about 3 years ago)
Last Updated
2023-04-30 (about 2 years ago)

Other

Published
Title
Published
2025-05-07
Title
워드프레스 결제 심플페이 < 5.3.3 - Cross-Site Request Forgery
Published
2025-11-17
Title
Project Honey Pot Spam Trap <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-08-19
Title
Snapshot Backup <= 2.1.1 - Stored XSS via CSRF
Published
2025-08-29
Title
Related Posts Lite <= 1.12 - Cross-Site Request Forgery
Published
2023-11-21
Title
UserPro < 5.1.2 - Cross-Site Request Forgery via multiple functions