WordPress Plugin Vulnerabilities

All in One SEO < 4.2.4 - Multiple CSRF

Description

The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions

Affects Plugins

Plugin icon
all-in-one-seo-pack
Fixed in 4.2.4

References

CVE
CVE-2022-38093

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad aka Yeraisci
Verified
No
WPVDB ID
5f31b537-186d-424c-a0c3-56f29146bb6e

Timeline

Publicly Published
2022-09-05 (about 3 years ago)
Added
2022-09-14 (about 3 years ago)
Last Updated
2022-09-14 (about 3 years ago)

Other

Published
Title
Published
2024-04-01
Title
SecuPress Free — WordPress Security < 2.2.5.2 - Cross-Site Request Forgery to Banned IP Address
Published
2025-10-24
Title
Simple Registration for WooCommerce < 1.5.9 - Cross-Site Request Forgery to Privilege Escalation via Role Request Approval
Published
2025-01-16
Title
WP-BlackCheck <= 2.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-10-16
Title
CloudSearch <= 3.0.0 - Cross-Site Request Forgery
Published
2021-06-30
Title
Express Shop < 4.0.3 - CSRF Bypass